Date: Thu, 1 Apr 2004 09:34:27 +0200 (MET DST) From: Helge Oldach <helge.oldach@atosorigin.com> To: julian@elischer.org (Julian Elischer) Cc: mike@sentex.net Subject: Re: FAST_IPSEC bug fix Message-ID: <200404010734.JAA24440@galaxy.hbg.de.ao-srv.com> In-Reply-To: <Pine.BSF.4.21.0403311057590.56636-100000@InterJet.elischer.org> from Julian Elischer at "Mar 31, 2004 9: 0:24 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer: >On Wed, 31 Mar 2004, Helge Oldach wrote: >> Mike Tancsa: >> >Well, its not totally a bug, but missing functionality that looks >> >like is there but is not and is pretty important to keep lossy >> >links functioning with IPSEC. My colleague gabor@sentex.net created >> >the patch below that implements net.key.prefered_oldsa when using >> >FAST_IPSEC. >> >> Yep, this is particularly important when running IPSec against other >> vendors' IPSec implementation. Many appear to prefer the new SA over the >> old one. > >Of course.. If you prefer the old SA over teh new one and your peer is >rebooted, then you can't talk to them until the old SA expires.. Actually you don't even need to reboot. The issue pops up already when a new SA is negotiated, but one of the peers insists in using the old one and the other insists on the new one. Yes, it *should* work in theory, but often it doesn't. Seen with FreeBSD against Cisco devices, for instance. Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404010734.JAA24440>