[Openswan dev] Losing shared phase1
David McCullough
david_mccullough at mcafee.com
Mon Oct 25 19:37:40 EDT 2010
Jivin Paul Wouters lays it down ...
>
> Hi,
>
> I just noticed the following behaviour and wondered if this was bug or intent:
>
> Image the following:
>
> conn net1
> also=base
> leftsubnet=1.2.3.0/24
> conn net2
> also=base
> leftsubnet=1.2.88.0/24
> conn base
> [...]
>
> When you bring up these two tunnels, you will end up with 1 ISAKMP and 2 IPsec SA's.
>
> Now when you do:
>
> ipsec auto --down net1
>
> then the phase1 and one of the phase2's will go away. You are left with one phase2
> that has no phase1. If you would do:
I've encountered/wondered about that. I don't know the historics, but in
my mind it seems wrong.
> ipsec auto --down net2
>
> then no Delete/Notify ever makes it to the other end.
>
> Question: Should we not keep the phase1 around on the first delete?
>
> I guess this can be difficult to determine. Perhaps that's why it was not implemented?
Perhaps we could restart a phase1 negotiation instead if accounting for the
phase1's that are shared is too hard ?
I like to hear what others think, but to me, leaving a tunnel with no
phase1 is not right,
Cheers,
Davidm
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev
mailing list