Re: [opennhrp-devel] Redundant SA created by opennhrp-script

Tue, 23 May 2017 06:32:28 -0700 

In my setup I experience the same thing.
In Hub and Spoke topology Next Hope Server was already initialized.




On Tue, May 23, 2017 at 4:25 PM, Alex Levit <alexl.glo...@gmail.com> wrote:

> Thank you Timo, one more question:
>
> Why establish-sa commands are needed in peer-up case of the
> opennhrp-script on NHS ?
> Seems like if spoke is always initiating first, NHS may give up these
> commands - am I missing something ?
>
> Regards
> Alex
>
>
> On Tue, May 23, 2017 at 4:14 PM, Timo Teras <timo.te...@iki.fi> wrote:
>
>> On Tue, 23 May 2017 15:58:08 +0300
>> Alex Levit <alexl.glo...@gmail.com> wrote:
>>
>> > In our OpenNHRP deployments there are always 4 security associations
>> > created: two for incoming and two for outgoing. Data flow is working
>> > Ok, but actually 2 SA were just enough.
>> > First pair creating is triggered by GRE policy in the spoke when NHRP
>> > registration sent, and the next one is by peer-up event in the
>> > opennhrp-script.
>> > My question is whether is this expected or am I doing anything
>> > wrong  ?
>>
>> I believe there's two because both spoke's initiate SA, and IKEv1 do
>> not handle well situation when both sides connect at same time. Well,
>> the situation is handled gracefully, it just results in duplicate SAs.
>> Technically, this is perfectly OK. It of course may have some minor
>> side effects on scalability on embedded devices.
>>
>> But yes, this is kind of expected. This will mostly not happen with
>> Quagga/NHRP and strongSwan when configured for IKEv2.
>>
>> Cheers,
>> Timo
>>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> opennhrp-devel mailing list
> opennhrp-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
>
>


-- 
Regards,

Sassy Natan
972-(05)54-2203702

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel

Reply via email to