[strongSwan] Running dual instances of strongswan
Tobias Brunner
tobias at strongswan.org
Tue Sep 11 11:16:35 CEST 2012
Hi Terry,
> What's this req id range issue you mentioned?
> Could you elaborate more on this?
The reqid is one of the key elements the Linux kernel uses to find a
state (IPsec SA) based on an IPsec policy that matched a packet. If two
daemons use the same reqids (charon simply starts with 1 and increases
this number with each CHILD_SA, if it is not set via ipsec.conf) this
could lead to conflicts. Fortunately, the reqid is not the only
property the kernel compares, for instance, the source and destination
IP addresses are also considered. So I may have exaggerated the issue a
bit, as conflicts might only arise in very specific situations. In your
case it's no problem, anyway, as only one of the instances actually
interacts with the kernel.
Regards,
Tobias
More information about the Users
mailing list