Date: Fri, 18 Jan 2002 09:41:47 -0000 From: "Tariq Rashid" <tariq@inty.net> To: <freebsd-net@freebsd.org> Subject: what is the corect ISEC behaviour for new connections over old ones? Message-ID: <MPENKFCCIIDAJKJJOLBHMEBJCGAA.tariq@inty.net> In-Reply-To: <MPENKFCCIIDAJKJJOLBHOEDFCFAA.tariq@inty.net>
next in thread | previous in thread | raw e-mail | index | archive | help
i know there's been some debate on this... but what is the current thinking in the light of any possible changes to KAME? the problem is that classic one: two ipsec hosts negotiate keys.. one's a server, one's a client... establish SAs and all is well. now, if one ike daemon is gracefully pulled down it sends a delete to itself and the other host, clearing the spds and sad entries... all is fine too. (i'm using isakmpd). now - what __should__ happen if one of the hosts, client or server, is ungracefully rebooted... should the server NOT respond to a new phase 1 negotiation? ... or should it waiut till the full phase 1 time out which could be 8 hours or more!!! or should it accept the new negotiation? i think (i may be wrong) that freebsd4.4r does accept new negotiations, and new entries are placed in the sad BUT: the machine accapts new SPI streams... but sends back old-SPI streams... confusing the rebooted machine. any light on this? tariq intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPENKFCCIIDAJKJJOLBHMEBJCGAA.tariq>