Julian Elischer: >On Wed, 31 Mar 2004, Helge Oldach wrote: >> Mike Tancsa: >> >Well, its not totally a bug, but missing functionality that looks >> >like is there but is not and is pretty important to keep lossy >> >links functioning with IPSEC. My colleague [EMAIL PROTECTED] created >> >the patch below that implements net.key.prefered_oldsa when using >> >FAST_IPSEC. >> >> Yep, this is particularly important when running IPSec against other >> vendors' IPSec implementation. Many appear to prefer the new SA over the >> old one. > >Of course.. If you prefer the old SA over teh new one and your peer is >rebooted, then you can't talk to them until the old SA expires..
Actually you don't even need to reboot. The issue pops up already when a new SA is negotiated, but one of the peers insists in using the old one and the other insists on the new one. Yes, it *should* work in theory, but often it doesn't. Seen with FreeBSD against Cisco devices, for instance. Helge _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
