From owner-freebsd-hackers Thu May 11 0:23:26 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from not.demophon.com (vpn.iscape.fi [195.170.146.67]) by hub.freebsd.org (Postfix) with ESMTP id C303037B7FD for ; Thu, 11 May 2000 00:23:09 -0700 (PDT) (envelope-from will@not.demophon.com) Received: (from will@localhost) by not.demophon.com (8.9.3/8.8.7) id KAA36562; Thu, 11 May 2000 10:15:55 +0300 (EEST) (envelope-from will) To: dillon@apollo.backplane.com (Matthew Dillon) Cc: hackers@freebsd.org Subject: Re: ipsec 'replay' syslog error messages after reboot of one host References: <200005110127.SAA61600@apollo.backplane.com> From: Ville-Pertti Keinonen Date: 11 May 2000 10:15:55 +0300 In-Reply-To: dillon@apollo.backplane.com's message of "11 May 2000 04:27:38 +0300" Message-ID: <863dnplfpw.fsf@not.demophon.com> Lines: 12 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG dillon@apollo.backplane.com (Matthew Dillon) writes: > The question is: What am I forgetting to do? Or is this a bug in our > IPSEC implementation? AFAIK this is more or less how it's supposed to work. IPsec is a mess. Security associations are not stateless, ESP provides replay protection using a sequence number. Replay-prevention is, however, optional, and the setkey manual page claims it to be off by default, so it could be a bug...you might want to try specifying -r 0 explicitly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message