Thank you Paul .Answers inline - From: Paul Wouters <[email protected]> Date: Tuesday, January 21, 2025 at 6:11 PM To: Mamta Gambhir <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [External] : Re: [Swan] SEGV using NULL authentication with multiple peers On Tue, 21 Jan 2025, Mamta Gambhir wrote:
> Thank you so much Paul for your prompt response. Couple questions > > * I am not understanding the issue very well. In my setup 1 source ip > negotiates with multiple destination ips and also > probably loopback on same host. If you see below all highlighted SA pairs > are unique. That part is fine. It is when there is a NULL "authenticated" connection between peer A and peer B established, but a new request comes in from peer A to peer B. If the connection was authenticated, we would replace the old one with the new one. But since there is no authentication with NULL, we cannot do that. At least that's what we decided. In a way, the real question is, why does this happen to you? Perhaps you are destroying and creating new containers or nodes and re-using the same IP without cleaning up the old IPsec tunnel ? <MG> Actually nothing at all, it’s just few nodes part of this subnet and I have setup ipsec for the first time on only two nodes from that subnet. No connections/nodes/VMs are yet being brought up or down, no mac/ip address conflicts. I am bringing these ipsec tunnels up first time and as soon as I do “ipsec start” I hit this. There are no pre-established tunnels. May be there could be parallelism in the authentication phase that’s it I can think of. <MG> > * This is a blocker issue for us and looking for a workaround and a fix. > Because in my case as you say dpd isn’t enabled > so connection doesn’t get reestablished. Would you kindly suggest if > adding > > dpdaction=restart below in my conf file suffice? No, that is obsolete for ikev2. Just dpddelay=10s is needed. <MG> I still hit SEGV in this case. I tried with dpddelay=5s. Will check again. <MG> > * Is there a ETA for the SEGV fix? We will be very interested in helping > test the fix whenever patch is available or > support the fix for this issue any other ways? I assume some time this week, but we need to discuss first whether we will make this trigger a dpd lookup (with or without dpd enabled) or whether we allow replacing. Once we discussed that with the developers internally, the patch should be trivial. Paul
_______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
