* Michael Richardson (mcr@xxxxxxxxxxxxxxxxxxxxxx) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Stephen" == Stephen Frost <sfrost@xxxxxxxxxxx> writes:
> Stephen> interfaces to the IPSEC in Linux. Additionally, the
> Stephen> problem isn't that I've got too many policies which end up
> Stephen> requiring too many SADs- the problem is that SADs are
> Stephen> being created above and beyond what's actually necessary
> Stephen> for my policies, which is a problem. I'm not entirely sure
>
> There is certainly a bug in openswan 2.3.1drX, possibly in 2.3.0,
> where more SPD entries get created than necessary.
Well, that's interesting, since my problem had been with racoon...
> This would result in many SAD entries, since the incoming SAs are not
> removed until they expire, or the remote end asks for them to be deleted.
>
> As the SAD interface in NETKEY provided by netfilter/pfkey does not
> permit any kind of "insert here" option, it is possible that there is
> some other bug whereby SAD entries multiply.
Got me, but if you're seeing this with openswan too, well, that'd be
rather interesting and might point to a problem outside of the userspace
tools...
Stephen
signature.asc
Description: Digital signature
|