[ previous ] [ next ] [ threads ]
 
 From:  "Thomas Hertz" <term at cynisk dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPsec VPN - multiple SAD entries with same src/dst pair
 Date:  Wed, 28 Jul 2004 18:51:32 +0200
First of all there will always be two identical entries during the time when
new SA:s are negotiated. That is the time between the "hard" and the "soft"
timeout for the SA in question. When the old SA:s dies (the hard limit is
reached) it will be removed and the new one will be used instead.

Other than that I have noticed that sometimes the negotiation fails
(especially with a windows peer), and there are multiple SA:s with about the
same lifetime. The link works though.

-
Thomas Hertz



> -----Original Message-----
> From: Jukka Salmi [mailto:j plus m0n0wall at 2004 dot salmi dot ch]
> Sent: den 28 juli 2004 18:43
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPsec VPN - multiple SAD entries with same src/dst
> pair
> 
> Hi,
> 
> while having a look at the SAD entries ("Diagnostics" -> "IPsec")
> on a m0n0wall 1.1b16 system I noticed some entries having the same
> source and destination addresses pairs (but different SPIs). Is
> this considered normal? However, the tunnel still works, so it's
> probably not a problem, but I just want to be sure...
> 
> 
> TIA, Jukka
> 
> --
> bashian roulette:
> $ ((RANDOM%6)) || rm -rf ~
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch