From owner-freebsd-net Thu Oct 4 3:39: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by hub.freebsd.org (Postfix) with ESMTP id AC9D537B406 for ; Thu, 4 Oct 2001 03:39:06 -0700 (PDT) Received: by gvr.gvr.org (Postfix, from userid 657) id 45299586C; Thu, 4 Oct 2001 12:39:05 +0200 (CEST) Date: Thu, 4 Oct 2001 12:39:05 +0200 From: Guido van Rooij To: Shoichi Sakane Cc: freebsd-net@freebsd.org Subject: Re: IPsec rekey question (bug in racoon?) Message-ID: <20011004123905.C74306@gvr.gvr.org> References: <20011003130015.A68282@gvr.gvr.org> <20011004174748J.sakane@kame.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011004174748J.sakane@kame.net>; from sakane@kame.net on Thu, Oct 04, 2001 at 05:47:48PM +0900 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Oct 04, 2001 at 05:47:48PM +0900, Shoichi Sakane wrote: > the freebsd's ipsec stack always uses old SA when there are some SAs for > the communication. so the other side system used old SA even when the one > had new SA. > latest KAME has the flag, net.key.prefered_oldsa, which makes the kernel > to be used new SA or old one. if the flag is not 0, the kernel uses > new one. With that I can fix my case. Is there a special reason to default to the old one, because that breaks rebooting systems, doesn't it? -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message