W2K: "New policy invalidated SAs formed with old policy"

Mon, 25 Mar 2002 07:58:18 -0800 

Is anyone familiar with this message and it's ramifications?

I'm testing and made a successful ipsec session.  Now I've made changes
to my policy on the server (Linux) side, and I get this message during
Main mode IKE negotiations.  

Do I need to clear old SA's from the previous session?  How do I do
this?  

Thanks,

-Bob

Oakley log from W2K:


3-25: 10:42:02:678 Sending: SA = 0x00239FB8 to 192.168.160.1
 3-25: 10:42:02:678 ISAKMP Header: (V1.0), len = 216 
 3-25: 10:42:02:678   I-COOKIE b3fae143c0ea27a9
 3-25: 10:42:02:678   R-COOKIE 0000000000000000
 3-25: 10:42:02:678   exchange: Oakley Main Mode
 3-25: 10:42:02:678   flags: 0 
 3-25: 10:42:02:678   next payload: SA
 3-25: 10:42:02:678   message ID: 00000000
 3-25: 10:42:31:52c flush guid(ipsec):
e659ef36-cce1-42f4-88e3d8479b672c34
 3-25: 10:42:31:52c Actually flushing guid(ipsec):
e659ef36-cce1-42f4-88e3d8479b672c34
 3-25: 10:42:31:52c isadb_schedule_kill_oldPolicy_sas:
e659ef36-cce1-42f4-88e3d8479b672c34 0
 3-25: 10:42:31:52c Added Timeout 124838
 3-25: 10:42:31:52c flush guid(ipsec):
8c20b319-7a6d-46c1-b00a18f53da78257
 3-25: 10:42:31:52c Actually flushing guid(ipsec):
8c20b319-7a6d-46c1-b00a18f53da78257
 3-25: 10:42:31:52c isadb_schedule_kill_oldPolicy_sas:
8c20b319-7a6d-46c1-b00a18f53da78257 0
 3-25: 10:42:31:52c Added Timeout 101bf0
 3-25: 10:42:31:678 entered kill_old_policy_sas
 3-25: 10:42:31:678 SA Dead. sa:00239FB8 status:cbad0351
 3-25: 10:42:31:678 isadb_set_status sa:00239FB8 centry:00000000 status
cbad0351
 3-25: 10:42:31:678 Stopping RetransTimer sa:00239FB8 centry:00000000
handle:0013BC60
 3-25: 10:42:31:760 entered kill_old_policy_sas
 3-25: 10:42:31:678 Key Exchange Mode (Main Mode)


 3-25: 10:42:31:678 Source IP Address 192.168.160.254

Source IP Address Mask 255.255.255.255

Destination IP Address 192.168.160.1

Destination IP Address Mask 255.255.255.255

Protocol 0

Source Port 0

Destination Port 0


 3-25: 10:42:31:678 Me


 3-25: 10:42:31:678 New policy invalidated SAs formed with old policy




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to