From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 31 23:35:06 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03E6316A4CE for ; Wed, 31 Mar 2004 23:35:06 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B7B343D39 for ; Wed, 31 Mar 2004 23:35:05 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])i317YT9e098629 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Apr 2004 09:34:30 +0200 (CEST) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id i317YTB0011968; Thu, 1 Apr 2004 09:34:29 +0200 (CEST) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id JAA24440; Thu, 1 Apr 2004 09:34:28 +0200 (MET DST) Message-Id: <200404010734.JAA24440@galaxy.hbg.de.ao-srv.com> In-Reply-To: from Julian Elischer at "Mar 31, 2004 9: 0:24 pm" To: julian@elischer.org (Julian Elischer) Date: Thu, 1 Apr 2004 09:34:27 +0200 (MET DST) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org cc: mike@sentex.net Subject: Re: FAST_IPSEC bug fix X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2004 07:35:06 -0000 Julian Elischer: >On Wed, 31 Mar 2004, Helge Oldach wrote: >> Mike Tancsa: >> >Well, its not totally a bug, but missing functionality that looks >> >like is there but is not and is pretty important to keep lossy >> >links functioning with IPSEC. My colleague gabor@sentex.net created >> >the patch below that implements net.key.prefered_oldsa when using >> >FAST_IPSEC. >> >> Yep, this is particularly important when running IPSec against other >> vendors' IPSec implementation. Many appear to prefer the new SA over the >> old one. > >Of course.. If you prefer the old SA over teh new one and your peer is >rebooted, then you can't talk to them until the old SA expires.. Actually you don't even need to reboot. The issue pops up already when a new SA is negotiated, but one of the peers insists in using the old one and the other insists on the new one. Yes, it *should* work in theory, but often it doesn't. Seen with FreeBSD against Cisco devices, for instance. Helge