Date: 11 May 2000 10:15:55 +0300 From: Ville-Pertti Keinonen <will@iki.fi> To: dillon@apollo.backplane.com (Matthew Dillon) Cc: hackers@freebsd.org Subject: Re: ipsec 'replay' syslog error messages after reboot of one host Message-ID: <863dnplfpw.fsf@not.demophon.com> In-Reply-To: dillon@apollo.backplane.com's message of "11 May 2000 04:27:38 %2B0300" References: <200005110127.SAA61600@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
dillon@apollo.backplane.com (Matthew Dillon) writes: > The question is: What am I forgetting to do? Or is this a bug in our > IPSEC implementation? AFAIK this is more or less how it's supposed to work. IPsec is a mess. Security associations are not stateless, ESP provides replay protection using a sequence number. Replay-prevention is, however, optional, and the setkey manual page claims it to be off by default, so it could be a bug...you might want to try specifying -r 0 explicitly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?863dnplfpw.fsf>