Date: Mon, 17 Aug 2015 10:07:45 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: IPsec: question on the sysctl preferred_oldsa Message-ID: <868621474.11105551.1439798865541.JavaMail.zimbra@stormshield.eu> In-Reply-To: <2101280536.11100114.1439798033324.JavaMail.zimbra@stormshield.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, I have some questions about the sysctl "net.key.preferred_oldsa": https://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l971 When I set the net.key.preferred_oldsa to 0 (similar to Linux's behavior, according to what I have read so far): - why does the kernel delete itself the old SA ? Why not just selecting the newest one? - why does it delete the old SA only if it has been created in another "second" of time? strongSwan does not expect that behavior and I can see a lot of errors in its logs: the SA has been deleted but it does not know about that (strongSwan wants to control the SA installation/deletion itself). Two pairs of SA may be negotiated and installed at the same time due to high load, bidirectional traffic. It seems to be quite questionable to delete the old one in that case. What do you think? Emeric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868621474.11105551.1439798865541.JavaMail.zimbra>