netdev
[Top] [All Lists]

Re: [IPSEC] Too many SADs!

To: netdev@xxxxxxxxxxx
Subject: Re: [IPSEC] Too many SADs!
From: Scott Mcdermott <smcdermott@xxxxxxxxxxx>
Date: Tue, 22 Mar 2005 14:48:21 -0800
In-reply-to: <200503220052.52756.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Mail-followup-to: netdev@xxxxxxxxxxx
References: <200503220052.52756.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.4.1i
Wolfgang Walter on Tue 22/03 00:52 +0100:
> We had the same problem. Seems to be a limitation of the
> pfkey-implementation of linux.
> 
> racoon and setkey both use the pfkey-interface.
> 
> We switched to iproute2 and openswan which both use the
> netfilter-interface.  Therefor they can handle thousands
> of SAD and SPD rules.

What, openswan uses PF_KEY last I checked on kernel 2.6.  I
guess you can use KLIPS, but why would you? What's this
"netfilter-interface" to ipsec code?

I had the exact same problem the original poster had with
Racoon.  SPDs would multiply without bounds, seemingly
geometrically.

I switched to strongswan and the problems immediately
vanished.  There is some bug in racoon where it doesn't
replace SPDs.  I used the latest ipsec-utils and kernel and
this problem did not go away until I switched instead to
strongswan (still using PF_KEY) (it also worked with
openswan).

<Prev in Thread] Current Thread [Next in Thread>