From owner-freebsd-net@freebsd.org Mon Sep 28 08:08:28 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 343FCA082C6 for ; Mon, 28 Sep 2015 08:08:28 +0000 (UTC) (envelope-from emeric.poupon@stormshield.eu) Received: from work.netasq.com (gwlille.netasq.com [91.212.116.1]) by mx1.freebsd.org (Postfix) with ESMTP id F1933109D for ; Mon, 28 Sep 2015 08:08:27 +0000 (UTC) (envelope-from emeric.poupon@stormshield.eu) Received: from work.netasq.com (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id 64FA22705605 for ; Mon, 28 Sep 2015 10:08:26 +0200 (CEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id 373AB2705297 for ; Mon, 28 Sep 2015 10:08:26 +0200 (CEST) Received: from work.netasq.com ([127.0.0.1]) by localhost (work.netasq.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id FImJ1cWc9PJ2 for ; Mon, 28 Sep 2015 10:08:26 +0200 (CEST) Received: from work.netasq.com (localhost.localdomain [127.0.0.1]) by work.netasq.com (Postfix) with ESMTP id 086CC2700716 for ; Mon, 28 Sep 2015 10:08:26 +0200 (CEST) Date: Mon, 28 Sep 2015 10:08:25 +0200 (CEST) From: Emeric POUPON To: FreeBSD Net Message-ID: <1049417046.2997430.1443427705821.JavaMail.zimbra@stormshield.eu> In-Reply-To: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu> References: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu> Subject: Re: IPsec: question on the sysctl preferred_oldsa MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thread-Topic: IPsec: question on the sysctl preferred_oldsa Thread-Index: IeXRZTKnQSSas6XdJUVl2KQ2WmNtSjhrDka+ X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2015 08:08:28 -0000 Hello, No idea on this question? To sum up the potential problems: - strongSwan does not expect the kernel to destroy a SA, and produces error= s after that (it cannot find the expected SA in the kernel since it has bee= n deleted) - racoon uses the "delete" event from the kernel and creates a ISAKMP DELET= E message to the remote host, with the relevant SPI. In some situations, bo= th endpoints negotiate a pair of SA at the same time, and keep deleting the= ir old SA and renegotiate. I suspect this behavior to be related to this sy= sctl. What do you think? Emeric ----- Mail original ----- De: "Emeric POUPON" =C3=80: "FreeBSD Net" Envoy=C3=A9: Lundi 17 Ao=C3=BBt 2015 10:07:45 Objet: IPsec: question on the sysctl preferred_oldsa Hello, I have some questions about the sysctl "net.key.preferred_oldsa": https://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=3Dmarkup#l971 When I set the net.key.preferred_oldsa to 0 (similar to Linux's behavior, a= ccording to what I have read so far): - why does the kernel delete itself the old SA ? Why not just selecting the= newest one? - why does it delete the old SA only if it has been created in another "sec= ond" of time? strongSwan does not expect that behavior and I can see a lot of errors in i= ts logs: the SA has been deleted but it does not know about that (strongSwa= n wants to control the SA installation/deletion itself). Two pairs of SA may be negotiated and installed at the same time due to hig= h load, bidirectional traffic. It seems to be quite questionable to delete = the old one in that case. What do you think? Emeric _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"