From owner-freebsd-net@FreeBSD.ORG  Fri Jan 27 08:45:25 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5FE5016A420
	for <freebsd-net@freebsd.org>; Fri, 27 Jan 2006 08:45:25 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from corwin.easynet.fr (smarthost171.mail.easynet.fr [212.180.1.171])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C9CB43D7E
	for <freebsd-net@freebsd.org>; Fri, 27 Jan 2006 08:45:14 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233]
	helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50)
	id 1F2PEG-0007yq-OI
	for freebsd-net@freebsd.org; Fri, 27 Jan 2006 09:45:13 +0100
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id 164B83F17; Fri, 27 Jan 2006 09:44:58 +0100 (CET)
Date: Fri, 27 Jan 2006 09:44:58 +0100
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060127084457.GA21360@zen.inc>
References: <83462512.20060126181018@osk.com.ua>
	<43D92848.2050005@elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <43D92848.2050005@elischer.org>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re:  Duplicate SAD entries lead to ESP tunnel malfunction
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2006 08:45:25 -0000

On Thu, Jan 26, 2006 at 11:51:36AM -0800, Julian Elischer wrote:
> Oleg Tarasov wrote:

> There is a sysctl that can help this behaviour but I forget which
> 
> something to do with ipsec and oldSAD or newSAD or something..

net.key.prefered_oldsa, or net.key.preferred_oldsa (changed since
4.X).

It is 1 by default, and it should be set to 0 to help better
interoperability with lots of peers.....


Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com