Date: Sat, 25 May 2002 06:33:15 -0700 (PDT) From: Jerry Murdock <jerry_murdock@yahoo.com> To: Shoichi Sakane <sakane@kame.net> Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Racoon SA Hard/Soft Lifetimes Message-ID: <20020525133315.86705.qmail@web14603.mail.yahoo.com> In-Reply-To: <20020525122004P.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Shoichi Sakane <sakane@kame.net> wrote: > > I've successfully got a 2day old -Stable build to talk IPSEC/IKE with a > > Sonicwall, but things fall apart when the SAs hit the soft lifetime limit. > > > > > A new SA is successfully negotiated with the Sonicwall when the soft > lifetime > > runs out, but the Sonicwall then ignores anything coming into it on the > "old" > > SA(which FBSD uses until the hard lifetime runs out). > > if your system has "net.key.preferred_oldsa" system wide value, > you can configure the kernel using new SA immediately. > > try like the following, > # sysctl -w net.key.preferred_oldsa=0 Sounds like exactly what I was looking for, unfortunately it doesn't seem to have any effect. I still see the counters for the old SA incrementing, and nothing going out the new SA until the old one expires completely. For now, I've modified racoon to set the soft lifetime to "hard lifetime - 10 seconds." The value seems to work quite well for the connection in question with no apparent key-renegotiation packet loss. Thanks, Jerry __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020525133315.86705.qmail>