[Openswan Users] Duplicate ESP SAs being created
Paul Wouters
paul at xelerance.com
Thu Feb 1 22:19:03 EST 2007
On Thu, 1 Feb 2007, Mike Horn wrote:
> I have a situation where I am seeing duplicate ESP SAs getting created
> between to Openswan devices. Both devices are using Openswan 2.4.6 with
> NETKEY on a 2.6.19 kernel. In my configuration there is only one connection
> statement between peers 172.3.3.5 and 172.4.4.10.
So according to Michael, that is a known race condition in IKEv1, which we
can't solve. With KLIPS, it is okay, because we can strongly link the SPD
and SADB, but netkey doesn't do that.
> If I set one end of the tunnel connection to "auto=add" and leave the other
> to "auto=start" then I only get one pair of SA as expected.
Yes, that is the workaround to use.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list