[strongSwan] Running dual instances of strongswan

T Cheung tccheung1 at gmail.com
Mon Sep 10 19:42:59 CEST 2012


Hi Tobias,

We need 2 different strongswan because one is used for standard ipsec
and the other is used
to provide key exchange for other non-ipsec security protocols using hardware.

We use different IP address ranges for these 2 different charons.   So
far they they seem to run well
for days other than this starter cleanup which flushes everything.
What's this req id range
issue you mentioned?  Could you elaborate more on this?

Thanks,
Terry

On Mon, Sep 10, 2012 at 4:22 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Terry,
>
>> I have 2 instances of strongswan running.
>
> What exactly is the reason for this?
>
> Did you patch one instance to use a different range for its reqids?  As
> these are used to connect policies with SAs in the kernel you will
> eventually run into problems if you didn't.
>
>> After I removed the SA deletion
>> code from one, the other tunnel remains up.
>>
>> I wonder if this is a good workaround.  Is there any resources leaked
>> if starter does not delete SAs when exiting?
>
> starter flushes SAs and policies mainly to clean up in case the daemon
> has crashed (so that a proper restart is possible as especially the
> policies couldn't be installed otherwise).  But there should not be any
> resource leaks if starter does not do this, the daemon should clean up
> properly after itself when terminating.
>
>> Will it reuse those same SAs when it comes back up?
>
> No, that it won't do.  The daemon also assumes that it has full control
> over the kernel, that is, if both instances tried to install the same
> policies you'd have a conflict that the daemon currently can't resolve.
>  The same applies after it crashed and old policies were still installed
> in the kernel.
>
> Regards,
> Tobias




More information about the Users mailing list