From owner-freebsd-hackers@FreeBSD.ORG  Wed Mar 31 01:55:58 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB9CD16A4DA
	for <freebsd-hackers@freebsd.org>;
	Wed, 31 Mar 2004 01:55:58 -0800 (PST)
Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DFAB743D45
	for <freebsd-hackers@freebsd.org>;
	Wed, 31 Mar 2004 01:55:57 -0800 (PST)
	(envelope-from helge.oldach@atosorigin.com)
Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net
	[194.8.96.68])i2V9tti5083433
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 31 Mar 2004 11:55:55 +0200 (CEST)
	(envelope-from helge.oldach@atosorigin.com)
Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com
	[161.89.20.4])ESMTP id i2V9tsbw052606;
	Wed, 31 Mar 2004 11:55:54 +0200 (CEST)
	(envelope-from helge.oldach@atosorigin.com)
Received: (from hmo@localhost)
	by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id LAA21806;
	Wed, 31 Mar 2004 11:55:53 +0200 (MET DST)
Message-Id: <200403310955.LAA21806@galaxy.hbg.de.ao-srv.com>
In-Reply-To: <6.0.3.0.0.20040330120751.10bf1180@209.112.4.2> from Mike Tancsa
	at "Mar 30, 2004  7:13:58 pm"
To: mike@sentex.net (Mike Tancsa)
Date: Wed, 31 Mar 2004 11:55:53 +0200 (MET DST)
From: Helge Oldach <helge.oldach@atosorigin.com>
X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany
X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-hackers@freebsd.org
Subject: Re: FAST_IPSEC bug fix
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2004 09:55:58 -0000

Mike Tancsa:
>Well, its not totally a bug, but missing functionality that looks      
>like is there but is not and is pretty important to keep lossy         
>links functioning with IPSEC. My colleague gabor@sentex.net created    
>the patch below that implements net.key.prefered_oldsa when using      
>FAST_IPSEC.                                                            

Yep, this is particularly important when running IPSec against other
vendors' IPSec implementation. Many appear to prefer the new SA over the
old one.

Actually this is the only issue that stopped me from going to
FAST_IPSEC.

Please also note that the nam of the sysctl has been changed in -CURRENT
about six weeks ago to net.key.preferred_oldsa (double "r"). I would
suggest to change it for RELENG_4 also, but *only* for FAST_IPSEC.

Helge