Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Nov 2011 11:46:41 +0530
From:      Reji Thomas <rejithomas.d@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Doubt regarding key_do_allocsa_policy in ipsec path
Message-ID:  <CAA8Zg7FvmEeG6KHSe_LRPWd=RpAfNO1aV=K96kCFppEpG4Qgxw@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,

The key_do_allocsa_policy searches and deletes the non preferred sas if
there are multiple sas that match the search parameters . I see that if
there are multiple sas of same parameters established between end points,
this end up in deletion of all "outbound sa" but the preferred sa. Since
the deletion occurs only on the outbound sa, this ends up in a scenario
where the corresponding inbound ipsec sas gets unpaired and not cleaned up
particularly when the ike daemon doesnt send a delete notification of sa to
the other peer. ( racoon2 ikev1 doesnt seem to do this).

In such a scenario, what should be the proper thing to do?.

1. Make sure that a delete notification is sent by the iked so that the
peers can cleanup the unpaired sa.
2. Since ipsec sas are always paired, should we delete the unpaired sa in
the kernel  at the same time?



Thanks
Reji



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA8Zg7FvmEeG6KHSe_LRPWd=RpAfNO1aV=K96kCFppEpG4Qgxw>