[strongSwan] Running dual instances of strongswan

Tobias Brunner tobias at strongswan.org
Tue Sep 11 11:16:35 CEST 2012


Hi Terry,

> What's this req id range issue you mentioned?
> Could you elaborate more on this?

The reqid is one of the key elements the Linux kernel uses to find a
state (IPsec SA) based on an IPsec policy that matched a packet.  If two
daemons use the same reqids (charon simply starts with 1 and increases
this number with each CHILD_SA, if it is not set via ipsec.conf) this
could lead to conflicts.  Fortunately, the reqid is not the only
property the kernel compares, for instance, the source and destination
IP addresses are also considered.  So I may have exaggerated the issue a
bit, as conflicts might only arise in very specific situations.  In your
case it's no problem, anyway, as only one of the instances actually
interacts with the kernel.

Regards,
Tobias






More information about the Users mailing list