Date: Wed, 31 Mar 2004 11:55:53 +0200 (MET DST) From: Helge Oldach <helge.oldach@atosorigin.com> To: mike@sentex.net (Mike Tancsa) Cc: freebsd-hackers@freebsd.org Subject: Re: FAST_IPSEC bug fix Message-ID: <200403310955.LAA21806@galaxy.hbg.de.ao-srv.com> In-Reply-To: <6.0.3.0.0.20040330120751.10bf1180@209.112.4.2> from Mike Tancsa at "Mar 30, 2004 7:13:58 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa: >Well, its not totally a bug, but missing functionality that looks >like is there but is not and is pretty important to keep lossy >links functioning with IPSEC. My colleague gabor@sentex.net created >the patch below that implements net.key.prefered_oldsa when using >FAST_IPSEC. Yep, this is particularly important when running IPSec against other vendors' IPSec implementation. Many appear to prefer the new SA over the old one. Actually this is the only issue that stopped me from going to FAST_IPSEC. Please also note that the nam of the sysctl has been changed in -CURRENT about six weeks ago to net.key.preferred_oldsa (double "r"). I would suggest to change it for RELENG_4 also, but *only* for FAST_IPSEC. Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403310955.LAA21806>