On Tue, 23 May 2017 15:58:08 +0300 Alex Levit <alexl.glo...@gmail.com> wrote:
> In our OpenNHRP deployments there are always 4 security associations > created: two for incoming and two for outgoing. Data flow is working > Ok, but actually 2 SA were just enough. > First pair creating is triggered by GRE policy in the spoke when NHRP > registration sent, and the next one is by peer-up event in the > opennhrp-script. > My question is whether is this expected or am I doing anything > wrong ? I believe there's two because both spoke's initiate SA, and IKEv1 do not handle well situation when both sides connect at same time. Well, the situation is handled gracefully, it just results in duplicate SAs. Technically, this is perfectly OK. It of course may have some minor side effects on scalability on embedded devices. But yes, this is kind of expected. This will mostly not happen with Quagga/NHRP and strongSwan when configured for IKEv2. Cheers, Timo ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ opennhrp-devel mailing list opennhrp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
