On Tue, 21 Jan 2025, Mamta Gambhir wrote:
Thank you so much Paul for your prompt response. Couple questions
* I am not understanding the issue very well. In my setup 1 source ip
negotiates with multiple destination ips and also
probably loopback on same host. If you see below all highlighted SA pairs
are unique.
That part is fine. It is when there is a NULL "authenticated" connection
between peer A and peer B established, but a new request comes in from
peer A to peer B. If the connection was authenticated, we would replace
the old one with the new one. But since there is no authentication with
NULL, we cannot do that. At least that's what we decided. In a way, the
real question is, why does this happen to you? Perhaps you are
destroying and creating new containers or nodes and re-using the same IP
without cleaning up the old IPsec tunnel ?
* This is a blocker issue for us and looking for a workaround and a fix.
Because in my case as you say dpd isn’t enabled
so connection doesn’t get reestablished. Would you kindly suggest if adding
dpdaction=restart below in my conf file suffice?
No, that is obsolete for ikev2. Just dpddelay=10s is needed.
* Is there a ETA for the SEGV fix? We will be very interested in helping test
the fix whenever patch is available or
support the fix for this issue any other ways?
I assume some time this week, but we need to discuss first whether we
will make this trigger a dpd lookup (with or without dpd enabled) or
whether we allow replacing. Once we discussed that with the developers
internally, the patch should be trivial.
Paul
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
