Can I get a couple people to try out the following diff? It (I think) fixes the 'prefer older sa' option that actually prefers newer SA's issue (the one where we tell you to click that option to prefer it :)) Before I commit this, I'd like some feedback from people that have done this to fix ipsec issues as well as people that haven't used this option (and can confirm it's not breaking anything). If it's absolutely required, I can post a full version of the file, but the full install (I know embedded doesn't have it) should have diff and patch, so this should apply.
Save to /tmp/vpn.inc.diff and run: cd / && patch < /tmp/vpn.inc.diff If there are no "rejected" entries, reboot. If it fails - go to Diagnostics -> Edit file and update /etc/inc/vpn.inc with http://cvstrac.pfsense.com/getfile?f=pfSense/etc/inc/vpn.inc&v=1.89.2.18 Thanks --Bill Index: vpn.inc =================================================================== RCS file: /cvsroot/pfSense/etc/inc/vpn.inc,v retrieving revision 1.112 diff -u -r1.112 vpn.inc --- vpn.inc 11 Mar 2006 22:45:22 -0000 1.112 +++ vpn.inc 29 Mar 2006 14:00:23 -0000 @@ -118,9 +118,9 @@ } if(isset($config['ipsec']['preferredoldsa'])) { - mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); + mwexec("/sbin/sysctl -w net.key.preferred_oldsa=30"); } else { - mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); + mwexec("/sbin/sysctl -w net.key.preferred_oldsa=0"); } $number_of_gifs = find_last_gif_device(); @@ -1233,4 +1233,4 @@ return 0; } -?> \ No newline at end of file +?>