From owner-freebsd-net@FreeBSD.ORG  Fri Jan 27 18:20:06 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C7CF16A424
	for <freebsd-net@freebsd.org>; Fri, 27 Jan 2006 18:20:06 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C444343D6D
	for <freebsd-net@freebsd.org>; Fri, 27 Jan 2006 18:19:59 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229])
	by a50.ironport.com with ESMTP; 27 Jan 2006 10:19:59 -0800
Message-ID: <43DA644E.9090703@elischer.org>
Date: Fri, 27 Jan 2006 10:19:58 -0800
From: Julian Elischer <julian@elischer.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
	rv:1.7.11) Gecko/20050727
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: FreeBSD MailList <subscriber@osk.com.ua>
References: <83462512.20060126181018@osk.com.ua>	<43D92848.2050005@elischer.org>
	<20060127084457.GA21360@zen.inc>
	<603364524.20060127113646@osk.com.ua>
In-Reply-To: <603364524.20060127113646@osk.com.ua>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Subject: Re: Duplicate SAD entries lead to ESP tunnel malfunction
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2006 18:20:06 -0000

Oleg Tarasov wrote:

>Hello,
>
>VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> wrote:
>
>  
>
>>net.key.prefered_oldsa, or net.key.preferred_oldsa (changed since
>>4.X).
>>    
>>
>
>  
>
>>It is 1 by default, and it should be set to 0 to help better
>>interoperability with lots of peers.....
>>    
>>
>
>This seems quite like correct solution. I analyzed behavior of the
>interface and saw upcoming ping requests (obviously) AND outgoing ping
>echoes, but remote host didn't get them. Obviously incoming packets
>were decrypted using one of SAs (the new one) but outgoing packets
>were encrypted using old SA which is not present on remote host due to
>some problems (like forced reboot, connection problems etc).
>  
>

yes

let us know if that solves your problem..

remember you don't need to reboot to set it..
the result should be instantaneous.

>Normally in this case remote host must report of unknown spi, but
>rather it lacks this function or it just ignores these packets. As it
>is a hardware router I am unaware of its behavior.
>
>I will test this solution for some time but I am sure this will help.
>
>Thanx for really great help - all these troubles are on my production
>box and every minute of malfunction returns to me with #not good#
>words of my boss :/
>
>  
>