From owner-freebsd-net  Wed Oct  3  4: 0:20 2001
Delivered-To: freebsd-net@freebsd.org
Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17])
	by hub.freebsd.org (Postfix) with ESMTP id 5F75D37B406
	for <freebsd-net@freebsd.org>; Wed,  3 Oct 2001 04:00:17 -0700 (PDT)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id D4A74586C; Wed,  3 Oct 2001 13:00:15 +0200 (CEST)
Date: Wed, 3 Oct 2001 13:00:15 +0200
From: Guido van Rooij <guido@gvr.org>
To: freebsd-net@freebsd.org
Subject: IPsec rekey question (bug in racoon?)
Message-ID: <20011003130015.A68282@gvr.gvr.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I am using Ipsec in tunnel mode. Everything works okay. Then I decide
to flush my SAD entries, on _one_ side of the tunnel.
Naturally, I see a key exchange going on.
Afterwards I see that the system on which I flushed the SAD entries does
have new ones. However the other side of the tunnel is still using
the old one for its tunnel to me. I would guess that that SAD would be replaced
as well?

Is there a config ite I overlooked?

Tcpdump showing what I just said:

12:33:31.189986 aaa.bbb.ccc.198 > aaa.bbb.ccc.193: ESP(spi=0x00169b89,seq=0x35) [tos 0x10] 
12:33:31.322963 aaa.bbb.ccc.193 > aaa.bbb.ccc.198: ESP(spi=0x05c83a78,seq=0x35) [tos 0x10] 
12:33:54.695274 aaa.bbb.ccc.198.500 > aaa.bbb.ccc.193.500: isakmp: phase 1 I agg: [|sa]
12:33:55.433767 aaa.bbb.ccc.193.500 > aaa.bbb.ccc.198.500: isakmp: phase 1 R agg: [|sa]
12:33:55.494034 aaa.bbb.ccc.198.500 > aaa.bbb.ccc.193.500: isakmp: phase 1 I agg:
    (hash: len=20)
12:33:55.524092 aaa.bbb.ccc.198.500 > aaa.bbb.ccc.193.500: isakmp: phase 2/others I oakley-quick[E]: [|hash]
12:33:55.731783 aaa.bbb.ccc.193.500 > aaa.bbb.ccc.198.500: isakmp: phase 2/others R oakley-quick[E]: [|hash]
12:33:55.733311 aaa.bbb.ccc.198.500 > aaa.bbb.ccc.193.500: isakmp: phase 2/others I oakley-quick[E]: [|hash]
12:33:59.650507 aaa.bbb.ccc.198 > aaa.bbb.ccc.193: ESP(spi=0x0aff2f79,seq=0x1)
12:33:59.659407 aaa.bbb.ccc.193 > aaa.bbb.ccc.198: ESP(spi=0x05c83a78,seq=0x36)
12:34:04.660544 aaa.bbb.ccc.198 > aaa.bbb.ccc.193: ESP(spi=0x0aff2f79,seq=0x2)
12:34:04.669431 aaa.bbb.ccc.193 > aaa.bbb.ccc.198: ESP(spi=0x05c83a78,seq=0x37)

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message