[Swan] Duplicate ip xfrm state entries, unconfigured ip xfrm state entries

Craig Marker cmarker at inspeednetworks.com
Tue Oct 23 22:44:51 UTC 2018


> On Sep 10, 2018, at 7:42 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
> Not all your connections are loaded? or there is a misconfiuration? Or a
> race when you use --replace (which means --delete + add)

There’s some amount of time after reboot where connections aren’t all loaded.

> How many conns with %any do you have? The current VTI does not support
> more then one "any" target. Its a kernel limitation in VTI, which is
> being replaced by xfrmi interfaces that won't have that limitation.

I’ve tested with up two and that seems to route correctly. What sort of symptoms would you expect in this case?

> So on the server use auto=add and on the client use auto=ondemand ?

> it seems your auto=ondemand is causing aquires for everything? since you
> have 0/0 to 0/0 ?

> running --route (eg on demand) is a little strange, since you are trying
> to do these manually? you prob mean to go from --replace to —up.

I use —route because it creates the VTI and allows routes to be added through the VTI before a connection has been established. Though I don’t want ondemand causing acquires for everything. Is there a way to ensure the VTI is created without using ondemand? Relying on the updown script to add routes after the fact is an unacceptable solution.
--
cm



More information about the Swan mailing list