From owner-freebsd-net Thu Oct 4 1:47:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 6AD0E37B403 for ; Thu, 4 Oct 2001 01:47:56 -0700 (PDT) Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fef7:1d80]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f948qoH00912; Thu, 4 Oct 2001 17:52:50 +0900 (JST) To: guido@gvr.org Cc: freebsd-net@freebsd.org Subject: Re: IPsec rekey question (bug in racoon?) In-Reply-To: Your message of "Wed, 3 Oct 2001 13:00:15 +0200" <20011003130015.A68282@gvr.gvr.org> References: <20011003130015.A68282@gvr.gvr.org> X-Mailer: Cue version 0.6 (010810-1737/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011004174748J.sakane@kame.net> Date: Thu, 04 Oct 2001 17:47:48 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 14 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I am using Ipsec in tunnel mode. Everything works okay. Then I decide > to flush my SAD entries, on _one_ side of the tunnel. > Naturally, I see a key exchange going on. > Afterwards I see that the system on which I flushed the SAD entries does > have new ones. However the other side of the tunnel is still using > the old one for its tunnel to me. I would guess that that SAD would be > replaced as well? the freebsd's ipsec stack always uses old SA when there are some SAs for the communication. so the other side system used old SA even when the one had new SA. latest KAME has the flag, net.key.prefered_oldsa, which makes the kernel to be used new SA or old one. if the flag is not 0, the kernel uses new one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message