[strongSwan] Running dual instances of strongswan

T Cheung tccheung1 at gmail.com
Wed Sep 12 00:42:40 CEST 2012


Hi Tobias,

That's good to know.  Actually the second instance is actually still
storing the SAs and policies
in the kernel, but I am looking to remove them as part of
investigating current issues.

Now I am also looking at another issue.  Even for the primary ipsec
instance, we are planning
to move away from software IPsec and may use hardware for it as well.
What's the best way
to turn off linux IPsec while still running strongswan?  Is there a
switch somewhere,or maybe
just not adding SAs to the kernel?  We still need the policies because
routing decisions still
depend on them.

Thanks,
Terry

On Tue, Sep 11, 2012 at 2:16 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Terry,
>
>> What's this req id range issue you mentioned?
>> Could you elaborate more on this?
>
> The reqid is one of the key elements the Linux kernel uses to find a
> state (IPsec SA) based on an IPsec policy that matched a packet.  If two
> daemons use the same reqids (charon simply starts with 1 and increases
> this number with each CHILD_SA, if it is not set via ipsec.conf) this
> could lead to conflicts.  Fortunately, the reqid is not the only
> property the kernel compares, for instance, the source and destination
> IP addresses are also considered.  So I may have exaggerated the issue a
> bit, as conflicts might only arise in very specific situations.  In your
> case it's no problem, anyway, as only one of the instances actually
> interacts with the kernel.
>
> Regards,
> Tobias
>
>




More information about the Users mailing list