[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Collision in IPSec SA negotiation

Awan Kumar Sharma writes:
> 	Is this a normal behavior.


> If yes, which SA will be used for protecting the traffic.

Doesn't care. Both are valid SAs for the data, so you can use either
one. Easiest thing is to just ignore this issue when talking with
other machines (it is so rare). When talking with your own machines
this can be deterministic (rekeying etc), so add some simple local fix
that will make sure this never happens (normally people use so that
the rekeying interval of the original initiator is little shorter than
actually negotiated, thus original initiator will start the rekeying
first in the next time also, and the responder will not start rekeying
because initiator already did that). 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/