[strongSwan-dev] Jousting w/ IKEv2
Jeff Chilton
jeff.chilton at mail.ois.com
Mon May 11 20:04:44 CEST 2015
Hello Developers,
I've been doing some tests with two hosts (running version 5.3.0) trying
to initiate IKEv2 sessions (with each other), both starting via "ipsec
up" at approximately the same time.
What I'm seeing is--every once and a while; seems to depend on
timing--is one side will end up with two complete sets of SA's ("2 up, 0
connecting") while the other side settles with only one set. The ESP
SPIs indicate the single set corresponding to the higher []-numbered
ones at the side with two.
ESP traffic does flow in this condition, but I'm concerned it's by luck,
requiring the side with the extra set of SAs to use the correct one when
transmitting. Also, if the valid pair gets torn, the side left with the
extra, un-matched SA goes incommunicado.
Is this a known issue, or something I should enter as one?
/jwc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4583 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150511/9d9750e3/attachment.bin>
More information about the Dev
mailing list