[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Collision in IPSec SA negotiation
Awan Kumar Sharma writes:
> Is this a normal behavior.
> If yes, which SA will be used for protecting the traffic.
Doesn't care. Both are valid SAs for the data, so you can use either
one. Easiest thing is to just ignore this issue when talking with
other machines (it is so rare). When talking with your own machines
this can be deterministic (rekeying etc), so add some simple local fix
that will make sure this never happens (normally people use so that
the rekeying interval of the original initiator is little shorter than
actually negotiated, thus original initiator will start the rekeying
first in the next time also, and the responder will not start rekeying
because initiator already did that).
email@example.com Work : +358 303 9870
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/