From owner-freebsd-net Thu Oct 4 17:23:40 2001 Delivered-To: freebsd-net@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 110B737B401 for ; Thu, 4 Oct 2001 17:23:37 -0700 (PDT) Received: from localhost ([3ffe:501:41c:2000:260:1dff:fef7:1d80]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f950SoH03667 for ; Fri, 5 Oct 2001 09:28:50 +0900 (JST) To: freebsd-net@freebsd.org Subject: Re: IPsec rekey question (bug in racoon?) In-Reply-To: Your message of "Thu, 4 Oct 2001 12:39:05 +0200" <20011004123905.C74306@gvr.gvr.org> References: <20011004123905.C74306@gvr.gvr.org> X-Mailer: Cue version 0.6 (010810-1737/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011005092337B.sakane@kame.net> Date: Fri, 05 Oct 2001 09:23:37 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 12 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > the freebsd's ipsec stack always uses old SA when there are some SAs for > > the communication. so the other side system used old SA even when the one > > had new SA. > With that I can fix my case. Is there a special reason to > default to the old one, because that breaks rebooting systems, doesn't it? if new SA was used, when the system installed SA, but the other system hadn't installed SA yet, some packet would be lost. when the system rebooted, it would caused the problem as you said. you can get more information from draft-jenkins-ipsec-rekeying-06.txt. although this draft has expired already, you can get from the Internet somewhere. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message