From owner-freebsd-net@freebsd.org  Mon Aug 17 08:14:36 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4FCB99BB567
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 17 Aug 2015 08:14:36 +0000 (UTC)
 (envelope-from emeric.poupon@stormshield.eu)
Received: from work.netasq.com (gwlille.netasq.com [91.212.116.1])
 by mx1.freebsd.org (Postfix) with ESMTP id 19E4112EC
 for <freebsd-net@freebsd.org>; Mon, 17 Aug 2015 08:14:35 +0000 (UTC)
 (envelope-from emeric.poupon@stormshield.eu)
Received: from work.netasq.com (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id 3DF4D2705ED3
 for <freebsd-net@freebsd.org>; Mon, 17 Aug 2015 10:07:48 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id DE1A62705CE3
 for <freebsd-net@freebsd.org>; Mon, 17 Aug 2015 10:07:47 +0200 (CEST)
Received: from work.netasq.com ([127.0.0.1])
 by localhost (work.netasq.com [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id IcrynqMuwwYA for <freebsd-net@freebsd.org>;
 Mon, 17 Aug 2015 10:07:47 +0200 (CEST)
Received: from work.netasq.com (localhost.localdomain [127.0.0.1])
 by work.netasq.com (Postfix) with ESMTP id 4CA4F2705C9C
 for <freebsd-net@freebsd.org>; Mon, 17 Aug 2015 10:07:47 +0200 (CEST)
Date: Mon, 17 Aug 2015 10:07:45 +0200 (CEST)
From: Emeric POUPON <emeric.poupon@stormshield.eu>
To: FreeBSD Net <freebsd-net@freebsd.org>
Message-ID: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu>
In-Reply-To: <2101280536.11100114.1439798033324.JavaMail.zimbra@stormshield.eu>
Subject: IPsec: question on the sysctl preferred_oldsa
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Thread-Topic: IPsec: question on the sysctl preferred_oldsa
Thread-Index: IeXRZTKnQSSas6XdJUVl2KQ2WmNtSg==
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 08:14:36 -0000

Hello,

I have some questions about the sysctl "net.key.preferred_oldsa":
https://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l971

When I set the net.key.preferred_oldsa to 0 (similar to Linux's behavior, according to what I have read so far):
- why does the kernel delete itself the old SA ? Why not just selecting the newest one?
- why does it delete the old SA only if it has been created in another "second" of time?

strongSwan does not expect that behavior and I can see a lot of errors in its logs: the SA has been deleted but it does not know about that (strongSwan wants to control the SA installation/deletion itself).
Two pairs of SA may be negotiated and installed at the same time due to high load, bidirectional traffic. It seems to be quite questionable to delete the old one in that case.

What do you think?

Emeric