Date: Fri, 27 Jan 2006 10:19:58 -0800 From: Julian Elischer <julian@elischer.org> To: FreeBSD MailList <subscriber@osk.com.ua> Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Subject: Re: Duplicate SAD entries lead to ESP tunnel malfunction Message-ID: <43DA644E.9090703@elischer.org> In-Reply-To: <603364524.20060127113646@osk.com.ua> References: <83462512.20060126181018@osk.com.ua> <43D92848.2050005@elischer.org> <20060127084457.GA21360@zen.inc> <603364524.20060127113646@osk.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Oleg Tarasov wrote: >Hello, > >VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> wrote: > > > >>net.key.prefered_oldsa, or net.key.preferred_oldsa (changed since >>4.X). >> >> > > > >>It is 1 by default, and it should be set to 0 to help better >>interoperability with lots of peers..... >> >> > >This seems quite like correct solution. I analyzed behavior of the >interface and saw upcoming ping requests (obviously) AND outgoing ping >echoes, but remote host didn't get them. Obviously incoming packets >were decrypted using one of SAs (the new one) but outgoing packets >were encrypted using old SA which is not present on remote host due to >some problems (like forced reboot, connection problems etc). > > yes let us know if that solves your problem.. remember you don't need to reboot to set it.. the result should be instantaneous. >Normally in this case remote host must report of unknown spi, but >rather it lacks this function or it just ignores these packets. As it >is a hardware router I am unaware of its behavior. > >I will test this solution for some time but I am sure this will help. > >Thanx for really great help - all these troubles are on my production >box and every minute of malfunction returns to me with #not good# >words of my boss :/ > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DA644E.9090703>