On Thu, 12 Sep 2002 13:46:44 +0200, Matthias Drochner <M.Drochner@fz-juelich.de> wrote:
> it just happened for me that an ESP tunnel mode negotiation lead
> to two SAs in each direction on one side. Because the SA unknown
> to the other end was used, the other side complained a lot:
> "IPv4 ESP input: no key association found for spi 111506327"
> in its kernel output.
> 
> Anyone seen this? The box with the double SAs is -current from a
> couple of weeks ago, the other side almost up-to-date.
> (After a "setkey -F" on the former one everything went normal.)

I see this kind of situation almost every time that I reboot one of
my tunnel endpoints.  Usually I see no ill effects.  For me, the
systems seem to create one SA and the immediately create another that
then gets used without error.

I've never really thought much about it since things still work for me.
I guess that I've always chalked it up to the oddness of IKE's design.

Paul
-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."