Date: Tue, 9 May 2006 10:07:57 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: IPSEC Interop problem with Cisco using multiple SA's Message-ID: <20060509080757.GA20700@zen.inc> In-Reply-To: <20060509030428.GA16965@verio.net> References: <20060508220101.GA15248@verio.net> <445FDB7B.1060704@astralblue.net> <20060509030428.GA16965@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 08, 2006 at 10:04:29PM -0500, David DeSimone wrote: > Eugene M. Kim <ab@astralblue.net> wrote: > > > > I haven't tried this myself, but you may want to try using > > "unique:<policy-id>" instead of "require" as the policy level > > After reading up on this behavior, I gave it a try, replacing all > "require" policies with "unique". I found that there was no need to > set a policy identifier, as the system apparently chooses a random > identifier if none is specified, and so all SPD's create unique SAD's as > a result. To be more exact, you can set up a manual reqid between 1 and IPSEC_MANUAL_REQID_MAX (0x3fff by default), or let the system take the next available value from IPSEC_MANUAL_REQID_MAX+1. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060509080757.GA20700>