From owner-freebsd-net@FreeBSD.ORG  Thu Dec 17 16:43:54 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 45F2F1065679
	for <freebsd-net@freebsd.org>; Thu, 17 Dec 2009 16:43:54 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id F2EDE8FC08
	for <freebsd-net@freebsd.org>; Thu, 17 Dec 2009 16:43:53 +0000 (UTC)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id 44A7A2798BC;
	Thu, 17 Dec 2009 17:43:52 +0100 (CET)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id 2F22B1705D; Thu, 17 Dec 2009 17:43:52 +0100 (CET)
Date: Thu, 17 Dec 2009 17:43:52 +0100
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: Mike Tancsa <mike@sentex.net>
Message-ID: <20091217164351.GA66492@zeninc.net>
References: <200912111923.nBBJNLk3072715@lava.sentex.ca>
	<C74CFE50.31FA9%jon.otterholm@ide.resurscentrum.se>
	<200912171634.nBHGY69O019300@lava.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200912171634.nBHGY69O019300@lava.sentex.ca>
User-Agent: All mail clients suck. This one just sucks less.
Cc: freebsd-net@freebsd.org, Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
Subject: Re:  Racoon site-to site
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 16:43:54 -0000

Hi all.


On Thu, Dec 17, 2009 at 11:01:00AM -0500, Mike Tancsa wrote:
[...]
> Another thing to try is
> sysctl -w net.key.preferred_oldsa=0

Yep, this is how most IPsec devices works and expects peers to work.


> Also, check and make sure you have dpd compiled into 
> ipsectools and make sure enabled.

Yes .... or no: misconfigured, or used in situations with important
loss, DPD can be worst than nothing....

The best would be to first understand the issue, then fix it, and only
after that consider finding useful DPD configuration regarding the
setup....


Yvan.