-----BEGIN PGP SIGNED MESSAGE----- On Tuesday 12 August 2003 10:46, Alexey Toptygin wrote: > I'm using the freeswan-2.01_2.4.20_18.9-0 rpms of freeswan with the > corresponding RedHat kernel. I have a configuration with 1 tunnel to a > SonicWall firewall and 2 tunnels to a NetScreen. All three tunnels are > configured for autokey with a PSK, and working fine. > > The tunnel to the SonicWall always has one pair of [EMAIL PROTECTED] SA's and > one pair of [EMAIL PROTECTED] SA's. The tunnels to the NetScreen, however, have > an ever growing number of SA pairs. They're currently at 10 each. I think > they do expire, eventually, but their ever-growing numbers worry me. Is > this a symptom of something serious?
The connection has a low IKE/IPsec lifetime, but the resulting SAs don't expire at a rate that reflects the increased rekey interval. FreeS/WAN does have a setting that would produce this behavior - rekeymargin, eg. how long before SA expiry should we renegotiate the SA. It's default is 9 minutes. Since you haven't changed this value in your config file, I'd bet it's the Netscreen rekeying. Check its configuration; perhaps it has an analogous setting. It could be quirky behavior - a low IKE/IPsec SA lifetime that doesn't get communicated properly during rekeying. You could turn up "plutodebug"ging to get more insight into the negotiations. In any case, tunnels are cheap, and not really a performance concern. And as you think you've observed, the SAs expire as their lifetimes are reached. (which, granted, can be a while.) I don't see any major problem. > Should I just reduce the keylife for those connections? Altering ikelifetime/keylife is definitely an option. - -- Sam Sgro [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: For the matching public key, finger the Reply-To: address. iQCVAwUBPz8RHUOSC4btEQUtAQE8nQQAyxuqz22AsZQO0bQMa62K/3g9Ulypu88z hB+p7Ju0ZUxEdzDXUTbnsdaSWM4QuZr1n42yP175xo0XQ5zNDuunXFW6FvjHfVa2 QQ4fkqOfrUFi/LO5u0UszIL6i5tlplLNVMhbENV2UtFm/5M+JNP1n6/esw4wSZhu gYwZc3R12dM= =Jl6X -----END PGP SIGNATURE----- _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
