Date: Mon, 28 Sep 2015 10:08:25 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: IPsec: question on the sysctl preferred_oldsa Message-ID: <1049417046.2997430.1443427705821.JavaMail.zimbra@stormshield.eu> In-Reply-To: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu> References: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, No idea on this question? To sum up the potential problems: - strongSwan does not expect the kernel to destroy a SA, and produces error= s after that (it cannot find the expected SA in the kernel since it has bee= n deleted) - racoon uses the "delete" event from the kernel and creates a ISAKMP DELET= E message to the remote host, with the relevant SPI. In some situations, bo= th endpoints negotiate a pair of SA at the same time, and keep deleting the= ir old SA and renegotiate. I suspect this behavior to be related to this sy= sctl. What do you think? Emeric ----- Mail original ----- De: "Emeric POUPON" <emeric.poupon@stormshield.eu> =C3=80: "FreeBSD Net" <freebsd-net@freebsd.org> Envoy=C3=A9: Lundi 17 Ao=C3=BBt 2015 10:07:45 Objet: IPsec: question on the sysctl preferred_oldsa Hello, I have some questions about the sysctl "net.key.preferred_oldsa": https://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=3Dmarkup#l971 When I set the net.key.preferred_oldsa to 0 (similar to Linux's behavior, a= ccording to what I have read so far): - why does the kernel delete itself the old SA ? Why not just selecting the= newest one? - why does it delete the old SA only if it has been created in another "sec= ond" of time? strongSwan does not expect that behavior and I can see a lot of errors in i= ts logs: the SA has been deleted but it does not know about that (strongSwa= n wants to control the SA installation/deletion itself). Two pairs of SA may be negotiated and installed at the same time due to hig= h load, bidirectional traffic. It seems to be quite questionable to delete = the old one in that case. What do you think? Emeric _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1049417046.2997430.1443427705821.JavaMail.zimbra>