FAST_IPSEC bug fix
Helge Oldach
helge.oldach at atosorigin.com
Wed Mar 31 23:35:06 PST 2004
Julian Elischer:
>On Wed, 31 Mar 2004, Helge Oldach wrote:
>> Mike Tancsa:
>> >Well, its not totally a bug, but missing functionality that looks
>> >like is there but is not and is pretty important to keep lossy
>> >links functioning with IPSEC. My colleague gabor at sentex.net created
>> >the patch below that implements net.key.prefered_oldsa when using
>> >FAST_IPSEC.
>>
>> Yep, this is particularly important when running IPSec against other
>> vendors' IPSec implementation. Many appear to prefer the new SA over the
>> old one.
>
>Of course.. If you prefer the old SA over teh new one and your peer is
>rebooted, then you can't talk to them until the old SA expires..
Actually you don't even need to reboot. The issue pops up already when a
new SA is negotiated, but one of the peers insists in using the old one
and the other insists on the new one. Yes, it *should* work in theory,
but often it doesn't. Seen with FreeBSD against Cisco devices, for
instance.
Helge
More information about the freebsd-hackers
mailing list