[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Tue Aug 25 20:53:33 EEST 2015


On Tue, Aug 25, 2015 at 01:17:06PM -0400, D. Hugh Redelmeier wrote:
> I don't think so.  The way you described the original problem, two
> identical tunnels are created through a race condition.  So they both
> will have similar lifetimes.
> 
> "replaced" is not a concept in IKEv1.  It is a weak notion in our code.  
> There is no way to know if the other side shares that notion.
> 
> Off the top of my head, without due diligence, I would say that if one SA 
> is deleted, and it is the eroute owner, and there is an identical SA, it 
> should be made the eroute owner.
> 
> | We are not talking about a second
> | tunnel here (from what I understand)
> 
> I think that we are.  But the tunnels have essentially identical
> policies.

No we are not.  Cisco occationally sends two SAs for the same connection
for some reason, but only uses the most recent one as far as I understood
the problem.

-- 
Len Sorensen


More information about the Swan-dev mailing list