[Openswan Users] Duplicate ESP SAs being created

Mike Horn lists at caddisconsulting.com
Fri Feb 2 17:03:09 EST 2007


I guess what I'm wondering is why the system retains the duplicate ESP SA in
the SADB, I thought it would delete the old SA once the new SA was
established and became active.  This is a similar situation to rekeying an
existing SA where for a period of time there are two SAs, but once the new
SA becomes active the old SA is deleted.

Could this be a bug in NETKEY?

-mike

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: Friday, February 02, 2007 12:54 PM
> To: Mike Horn
> Cc: Users at openswan.org
> Subject: RE: [Openswan Users] Duplicate ESP SAs being created
> 
> On Fri, 2 Feb 2007, Mike Horn wrote:
> 
> > Thanks Paul.  I haven't seen this issue in other IPsec devices, is 
> > there anyway to delete the first set of Sas (since they 
> won't be used) 
> > once the second set has been negotiated?
> 
> I assume that when you send a DELETE command, the other end, 
> having auto=start, will start its own new connection again, 
> and you re-state the problem.
> 
> Paul
> 
> 




More information about the Users mailing list