[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master
D. Hugh Redelmeier
hugh at mimosa.com
Wed Aug 26 09:33:32 EEST 2015
| From: Lennart Sorensen <lsorense at csclub.uwaterloo.ca>
| On Tue, Aug 25, 2015 at 01:17:06PM -0400, D. Hugh Redelmeier wrote:
| > | We are not talking about a second
| > | tunnel here (from what I understand)
| >
| > I think that we are. But the tunnels have essentially identical
| > policies.
|
| No we are not.
In what sense are we not talking about two tunnels?
At least from our end it must look like two tunnels.
| Cisco occationally sends two SAs for the same connection
| for some reason, but only uses the most recent one as far as I understood
| the problem.
What does "uses" mean? Will it work inbound? Will it work outbound,
once there is no longer the other one?
If it won't work for inbound, then surely a delete notification would
have been generated. That notification hasn't happened since we still
have the SA bundle pair.
If it will work for inbound but not outbound, that seems kind of odd.
How does this come up? Is this a race condition in negotiation?
Maybe I'm leaping to conclusions based on a very partial problem
description.
More information about the Swan-dev
mailing list