Re: [IPSEC] Too many SADs! - Scott Mcdermott

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Scott Mcdermott <smcdermott@questra.com>
To: netdev@oss.sgi.com
Subject: Re: [IPSEC] Too many SADs!
Date: Tue, 22 Mar 2005 14:48:21 -0800	[thread overview]
Message-ID: <20050322224819.GB4924@questra.com> (raw)
In-Reply-To: <200503220052.52756.wolfgang.walter@studentenwerk.mhn.de>

Wolfgang Walter on Tue 22/03 00:52 +0100:
> We had the same problem. Seems to be a limitation of the
> pfkey-implementation of linux.
> 
> racoon and setkey both use the pfkey-interface.
> 
> We switched to iproute2 and openswan which both use the
> netfilter-interface.  Therefor they can handle thousands
> of SAD and SPD rules.

What, openswan uses PF_KEY last I checked on kernel 2.6.  I
guess you can use KLIPS, but why would you? What's this
"netfilter-interface" to ipsec code?

I had the exact same problem the original poster had with
Racoon.  SPDs would multiply without bounds, seemingly
geometrically.

I switched to strongswan and the problems immediately
vanished.  There is some bug in racoon where it doesn't
replace SPDs.  I used the latest ipsec-utils and kernel and
this problem did not go away until I switched instead to
strongswan (still using PF_KEY) (it also worked with
openswan).

next prev parent reply	other threads:[~2005-03-22 22:48 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-21 23:52 [IPSEC] Too many SADs! Wolfgang Walter
2005-03-22 16:59 ` Stephen Frost
2005-03-22 18:46   ` Michael Richardson
2005-03-22 19:11     ` Stephen Frost
2005-03-22 22:48 ` Scott Mcdermott [this message]
2005-03-23  0:33   ` Stephen Frost
2005-03-23  5:55     ` Scott Mcdermott
2005-03-28 13:33       ` Stephen Frost
2005-03-23  8:30 ` jean-mickael guerin
2005-03-23  9:57 ` KOVACS Krisztian
2005-03-23 18:15   ` Wolfgang Walter
  -- strict thread matches above, loose matches on Subject: below --
2005-03-23 12:22 Wolfgang Walter
2005-03-23 12:20 Wolfgang Walter
2005-03-21 14:52 Stephen Frost

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050322224819.GB4924@questra.com \
    --to=smcdermott@questra.com \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.