[Swan-dev] hold/trap + acquires causing multiple IPsec negotiations

Tuomo Soini tis at foobar.fi
Mon May 4 08:29:49 EEST 2015

We have some problem in our initiation code, both ikev1 and ikev2. If
we have traffic which matches our ipsec policy when we are negotiating
a tunnel it causes us to negotiate several tunnels.

I didn't check further but I'm quite sure we before had a check in code
that if there was already matching tunnel negotiation we didn't start
new one when acquired - now we get new tunnel negotiation. So
restarting pluto on ipsec-gw causes road warrior to negotiate like 6
IPsec SAs because of acquires instead of one required.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan-dev mailing list