[Openswan Users] Duplicate ESP SAs being created

Paul Wouters paul at xelerance.com
Fri Feb 2 17:56:07 EST 2007


On Fri, 2 Feb 2007, Mike Horn wrote:

> I guess what I'm wondering is why the system retains the duplicate ESP SA in
> the SADB, I thought it would delete the old SA once the new SA was
> established and became active.  This is a similar situation to rekeying an
> existing SA where for a period of time there are two SAs, but once the new
> SA becomes active the old SA is deleted.

Normally, ESP SA's are kept, because data might come in, despite a new SA having
been established. I am not sure how KLIPS and NETKEY behave differently in this
respect. Michael?

> Could this be a bug in NETKEY?

Perhaps..

Paul

> -mike
>
> > -----Original Message-----
> > From: Paul Wouters [mailto:paul at xelerance.com]
> > Sent: Friday, February 02, 2007 12:54 PM
> > To: Mike Horn
> > Cc: Users at openswan.org
> > Subject: RE: [Openswan Users] Duplicate ESP SAs being created
> >
> > On Fri, 2 Feb 2007, Mike Horn wrote:
> >
> > > Thanks Paul.  I haven't seen this issue in other IPsec devices, is
> > > there anyway to delete the first set of Sas (since they
> > won't be used)
> > > once the second set has been negotiated?
> >
> > I assume that when you send a DELETE command, the other end,
> > having auto=start, will start its own new connection again,
> > and you re-state the problem.
> >
> > Paul
> >
> >
>
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list