[Openswan Users] Duplicate ESP SAs being created
Mike Horn
lists at caddisconsulting.com
Fri Feb 2 14:06:09 EST 2007
Thanks Paul. I haven't seen this issue in other IPsec devices, is there
anyway to delete the first set of Sas (since they won't be used) once the
second set has been negotiated?
Thanks,
-mike
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, February 01, 2007 8:19 PM
> To: Mike Horn
> Cc: Users at openswan.org
> Subject: Re: [Openswan Users] Duplicate ESP SAs being created
>
> On Thu, 1 Feb 2007, Mike Horn wrote:
>
> > I have a situation where I am seeing duplicate ESP SAs
> getting created
> > between to Openswan devices. Both devices are using Openswan 2.4.6
> > with NETKEY on a 2.6.19 kernel. In my configuration there
> is only one
> > connection statement between peers 172.3.3.5 and 172.4.4.10.
>
> So according to Michael, that is a known race condition in
> IKEv1, which we can't solve. With KLIPS, it is okay, because
> we can strongly link the SPD and SADB, but netkey doesn't do that.
>
> > If I set one end of the tunnel connection to "auto=add" and
> leave the
> > other to "auto=start" then I only get one pair of SA as expected.
>
> Yes, that is the workaround to use.
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
>
>
More information about the Users
mailing list