[strongSwan] Charon: Limit the Number of SAs that can be created with same Traffic Selectors

Andreas Steffen andreas.steffen at strongswan.org
Mon Dec 6 13:36:56 CET 2010


Hi Sajal,

which strongSwan version are you using? We had some rekeying
problems in the past, where multiple IKE and CHILD SAs were
established over time. In newer version though, usually only
one SA with a given traffic selector is installed or there
might be at the most two IKE_SAs and corresponding CHILD_SAs
if both sides initiate simultaneously with auto=start.

Regards

Andreas

On 06.12.2010 12:21, Sajal Malhotra wrote:
> Hi,
> 
> I am using Strongswan Charon (IKEv2) stack. Just wanted to know if there
> is *any limit *that we can put on the number of CHILD SAs that can be
> created using the *same Traffic Selectors.*
> Actually I have a limited memory in my system and hence cannot afford to
> have uncountable SAs being created with same TS.
> 
> Also, what is the handling done by charon if the kernel returns failure
> because it is unable to install SAD or SPD due to insufficient  memory
> space.
> 
> Is there a way to stop charon from creating multiple CHILD SA with same TS
> 
> Thanks and Regards
> Sajal

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list