[Openswan Users] keeping SA made OCF resource leak

David McCullough David_Mccullough at securecomputing.com
Wed Jul 29 02:33:44 EDT 2009

Jivin Paul Wouters lays it down ...
> On Wed, 22 Jul 2009, willer.wang at cybertan.com.tw wrote:
>> 3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA?
> To ensure a seamless transition, the old receiving SA's are kept until
> traffic arrives on the new SA. On the outgoing SA, I believe we drop
> the old one as soon as we are ready to use the new one for traffic.

Yep,  I thought that to,  but it seems that something is definately broken.
I can see the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time. 
Most certainly seems to be rekey related.

Hopefully it won't take too long to track the offending refcount discrepancy
and get this fixed ;-)


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list