[strongSwan] Charon: Limit the Number of SAs that can be created with same Traffic Selectors

Sajal Malhotra sajalmalhotra at gmail.com
Tue Dec 7 07:29:56 CET 2010


Also, Just to confirm/clarify:

Do you mean to say that with the fix in the latest version:

   - If we fire an "ipsec up" command for a connection multiple times, OR
   - If we fire "ipsec up" command for a connection that is already up (i.e
   SA for it is already established)

Then Also only one SA will be installed. Correct ?
If Yes, then i would really appreciate if you can point us to the piece of
code which handles this fix

Thanks and Regards
Sajal

On Tue, Dec 7, 2010 at 11:45 AM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:

> Hi Andreas,
>
> Thanks for the prompt response.
> We are using a pretty old version 4.2.8 :(
> Do you have any patch available for this fix. Or can you just hint us on
> the source code files where we can look for the change.
> It would be a great help.
>
>
> Thanks and Regards
> Sajal Malhotra
>
>
>
> On Mon, Dec 6, 2010 at 6:06 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Sajal,
>>
>> which strongSwan version are you using? We had some rekeying
>> problems in the past, where multiple IKE and CHILD SAs were
>> established over time. In newer version though, usually only
>> one SA with a given traffic selector is installed or there
>> might be at the most two IKE_SAs and corresponding CHILD_SAs
>> if both sides initiate simultaneously with auto=start.
>>
>> Regards
>>
>> Andreas
>>
>> On 06.12.2010 12:21, Sajal Malhotra wrote:
>> > Hi,
>> >
>> > I am using Strongswan Charon (IKEv2) stack. Just wanted to know if there
>> > is *any limit *that we can put on the number of CHILD SAs that can be
>> > created using the *same Traffic Selectors.*
>> > Actually I have a limited memory in my system and hence cannot afford to
>> > have uncountable SAs being created with same TS.
>> >
>> > Also, what is the handling done by charon if the kernel returns failure
>> > because it is unable to install SAD or SPD due to insufficient  memory
>> > space.
>> >
>> > Is there a way to stop charon from creating multiple CHILD SA with same
>> TS
>> >
>> > Thanks and Regards
>> > Sajal
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101207/c2c7b490/attachment.html>


More information about the Users mailing list