From: Aidas K. <a.k...@gm...> - 2005-07-19 14:42:05
|
VANHULLEBUS Yvan wrote: > On Tue, Jul 19, 2005 at 04:45:52PM +0300, Aidas Kasparas wrote: > [....] > >>- if you do have several IP adresses, you can run several instances >>simultaneously (each listening on separate IP, with his onw config). > > > At least on KAME stacks, racoon is really NOT designed to be able to > have several running instances on the same host. > > > Did you try that on Linux stacks ? Did it work ? Yes. I run it this way successfully in production since around 2004-12-04. I even think that it would run under KAME stacks with no problem. And speaking of pfkey interface, where almost any event is broadcasted to everyone listening could hardly be described as "not designed" to run several instances of applications/daemons using it. Yes, there is no method how to configure policies to which instance of daemon to send acquire. But, with little inteligence on daemon side, it could filter out "not mine" messages. See http://cvs.sourceforge.net/viewcvs.py/ipsec-tools/ipsec-tools/src/racoon/pfkey.c?r1=1.23&r2=1.24 I agree, this is not an optimal way. But, if there would be an option for pfkey-client to say, what policies it is interested in (supplying list of addresses it is listening), then kernel would be able to skip sending of not interesting messages. -- Aidas Kasparas IT administrator GM Consult Group, UAB |