[Openswan Users] Can I share SA?

Paul Wouters paul at xelerance.com
Thu Oct 2 19:31:12 EDT 2008

On Thu, 2 Oct 2008, Jianqing Zhang wrote:

> Can I get Security Association from an end and import it a third party?
> Suppose two ends set up a connection as usual. Can I export security
> association(s) from one end and deploy them on a third party? Then, can
> the third party talk to either of original ends? (Suppose, the third
> party can fake its IP address.).

No, there is no SA passing or failover support in Openswan right now.

I am not sure what the status is for the NETKEY kernel component, and
whether it supports this. I guess using 'ip xfrm' it might be possible
to copy the policy and key for use on another system. But that's only
"phase 2", not "phase 1".


More information about the Users mailing list