I'm using the freeswan-2.01_2.4.20_18.9-0 rpms of freeswan with the
corresponding RedHat kernel. I have a configuration with 1 tunnel to a
SonicWall firewall and 2 tunnels to a NetScreen. All three tunnels are
configured for autokey with a PSK, and working fine.
The tunnel to the SonicWall always has one pair of [EMAIL PROTECTED] SA's and
one pair of [EMAIL PROTECTED] SA's. The tunnels to the NetScreen, however, have
an ever growing number of SA pairs. They're currently at 10 each. I think
they do expire, eventually, but their ever-growing numbers worry me. Is
this a symptom of something serious? Should I just reduce the keylife for
those connections?
Alexey
Here's my ipsec.conf:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.10.2.1 2003/06/13 23:27:25 sam Exp $
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
conn NetScreen1
left=65.105.113.198
leftsubnet=172.16.0.0/16
right=65.105.113.194
rightsubnet=192.168.1.0/24
auto=start
authby=secret
conn NetScreen2
left=65.105.113.198
leftsubnet=10.30.1.0/24
right=65.105.113.194
rightsubnet=192.168.1.0/24
auto=start
authby=secret
conn SonicWall
left=65.105.113.198
leftnexthop=65.105.113.193
leftsubnet=192.168.1.0/24
right=some.ip.add.ress
rightsubnet=10.30.1.0/24
auto=start
authby=secret
#overrides:
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn private
auto=ignore
conn block
auto=ignore
conn packetdefault
auto=ignore
_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
