From owner-freebsd-net Tue Aug 13 11:51:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C54237B400 for ; Tue, 13 Aug 2002 11:51:29 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BE0343E6A for ; Tue, 13 Aug 2002 11:51:28 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020813185127.JAWA11061.sccrmhc01.attbi.com@blossom.cjclark.org>; Tue, 13 Aug 2002 18:51:27 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7DIpRJK005121; Tue, 13 Aug 2002 11:51:27 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7DIpPxb005120; Tue, 13 Aug 2002 11:51:25 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 13 Aug 2002 11:51:25 -0700 From: "Crist J. Clark" To: Mike Burgett Cc: Julian Elischer , net@FreeBSD.ORG Subject: Re: Racoon question Message-ID: <20020813185125.GB5009@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020813052619.GD1675@blossom.cjclark.org> <200208131150.g7DBoC4h030141@dragon.awen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208131150.g7DBoC4h030141@dragon.awen.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 13, 2002 at 04:50:12AM -0700, Mike Burgett wrote: > On Mon, 12 Aug 2002 22:26:19 -0700, Crist J. Clark wrote: > > >On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote: > [ ... ] > >> However I notice that if I have a problem on one system it sometimes > >> needs to wait until the running SA has expired until things can be > >> restarted.. For example if one system is rebooted, I need to reset the > >> racoon on the > >> other system and clear SAs etc. before things can resync. > > > >Yeah, known issue which comes up from time to time. It is a common > >headache in IPsec. 'Coulda sworn there was a sysctl(8) to change this > >behavior, but I can't find it. > > Hello, > > Try : net.key.prefered_oldsa=0 > > This worked for me on a -stable box, awhile back. There it is. Silly me looking for it above net.inet.ipsec. forces me to wonder, "Why _aren't_ this and the other net.key sysctl(8)s actually net.inet.ipsec.key (or something like that)?" I see the code lives in src/sys/netkey, but isn't all of this purely IPsec related? And all of the net.inet.ipsec code actually lives in netinet6, so things are already inconsistent in making sysctl(8) names reflect where something lies in the tree. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message