[Swan] IPSec IKE SA "leakage" with 3.18-git
Paul Wouters
paul at nohats.ca
Mon Oct 3 17:25:52 UTC 2016
On Mon, 3 Oct 2016, Reuben Farrelly wrote:
> Looks like there is a leakage with SA's not being cleaned up properly with
> the latest -git code. I am still running VTI's - so this could be a part of
> the problem.
I dont think so?
I notice you have dpdaction=clear. Setting that to dpdaction=hold should
stop plaintext from leaking.
> So there are some 1810 SA's in total - all authenticated but there is only
> one active client (my Cisco router).
That _is_ a problem. What version is this? We did fix a bug a while ago
where a failing connection would accidentally get cloned on retry and so
you would exponentially gain more non-working connection instances :/
(This was one or two releases ago. If you were on 3.18 or git, please get
me a log of the failing connection that shows instantiating more of them)
Paul
More information about the Swan
mailing list