From owner-freebsd-net Fri Jan 18 1:39:27 2002 Delivered-To: freebsd-net@freebsd.org Received: from jane.inty.net (jane.inty.net [195.224.93.242]) by hub.freebsd.org (Postfix) with ESMTP id 6D40237B41D for ; Fri, 18 Jan 2002 01:39:20 -0800 (PST) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by jane.inty.net (8.11.3/8.11.3) with ESMTP id g0I9dGo55461 for ; Fri, 18 Jan 2002 09:39:16 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.12.1) with SMTP id g0I9d6dj019998 for ; Fri, 18 Jan 2002 09:39:06 GMT From: "Tariq Rashid" To: Subject: what is the corect ISEC behaviour for new connections over old ones? Date: Fri, 18 Jan 2002 09:41:47 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Sender-IP: 10.0.1.156 X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 3536 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i know there's been some debate on this... but what is the current thinking in the light of any possible changes to KAME? the problem is that classic one: two ipsec hosts negotiate keys.. one's a server, one's a client... establish SAs and all is well. now, if one ike daemon is gracefully pulled down it sends a delete to itself and the other host, clearing the spds and sad entries... all is fine too. (i'm using isakmpd). now - what __should__ happen if one of the hosts, client or server, is ungracefully rebooted... should the server NOT respond to a new phase 1 negotiation? ... or should it waiut till the full phase 1 time out which could be 8 hours or more!!! or should it accept the new negotiation? i think (i may be wrong) that freebsd4.4r does accept new negotiations, and new entries are placed in the sad BUT: the machine accapts new SPI streams... but sends back old-SPI streams... confusing the rebooted machine. any light on this? tariq intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message