Hi Tobias, That's good to know. Actually the second instance is actually still storing the SAs and policies in the kernel, but I am looking to remove them as part of investigating current issues.
Now I am also looking at another issue. Even for the primary ipsec instance, we are planning to move away from software IPsec and may use hardware for it as well. What's the best way to turn off linux IPsec while still running strongswan? Is there a switch somewhere,or maybe just not adding SAs to the kernel? We still need the policies because routing decisions still depend on them. Thanks, Terry On Tue, Sep 11, 2012 at 2:16 AM, Tobias Brunner <[email protected]> wrote: > Hi Terry, > >> What's this req id range issue you mentioned? >> Could you elaborate more on this? > > The reqid is one of the key elements the Linux kernel uses to find a > state (IPsec SA) based on an IPsec policy that matched a packet. If two > daemons use the same reqids (charon simply starts with 1 and increases > this number with each CHILD_SA, if it is not set via ipsec.conf) this > could lead to conflicts. Fortunately, the reqid is not the only > property the kernel compares, for instance, the source and destination > IP addresses are also considered. So I may have exaggerated the issue a > bit, as conflicts might only arise in very specific situations. In your > case it's no problem, anyway, as only one of the instances actually > interacts with the kernel. > > Regards, > Tobias > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
