netdev
[Top] [All Lists]

Re: [IPSEC] Too many SADs!

To: netdev@xxxxxxxxxxx
Subject: Re: [IPSEC] Too many SADs!
From: Stephen Frost <sfrost@xxxxxxxxxxx>
Date: Tue, 22 Mar 2005 19:33:10 -0500
In-reply-to: <20050322224819.GB4924@xxxxxxxxxxx>
References: <200503220052.52756.wolfgang.walter@xxxxxxxxxxxxxxxxxxxx> <20050322224819.GB4924@xxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
* Scott Mcdermott (smcdermott@xxxxxxxxxxx) wrote:
> What, openswan uses PF_KEY last I checked on kernel 2.6.  I
> guess you can use KLIPS, but why would you? What's this
> "netfilter-interface" to ipsec code?

This confused me too...

> I had the exact same problem the original poster had with
> Racoon.  SPDs would multiply without bounds, seemingly
> geometrically.

Yeah.  Not good. :(

> I switched to strongswan and the problems immediately
> vanished.  There is some bug in racoon where it doesn't
> replace SPDs.  I used the latest ipsec-utils and kernel and
> this problem did not go away until I switched instead to
> strongswan (still using PF_KEY) (it also worked with
> openswan).

Sounds like I may need to check out strongswan/openswan.  
I can tell you I wasn't exactly a fan of freeswan for a variety
of reasons.  I'm suprised there havn't been more people
talking about and looking into fixing this, kind of concerning..

        Thanks,

                Stephen

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>