FAST_IPSEC bug fix

Helge Oldach helge.oldach at atosorigin.com
Wed Mar 31 23:35:06 PST 2004


Julian Elischer:
>On Wed, 31 Mar 2004, Helge Oldach wrote:
>> Mike Tancsa:
>> >Well, its not totally a bug, but missing functionality that looks      
>> >like is there but is not and is pretty important to keep lossy         
>> >links functioning with IPSEC. My colleague gabor at sentex.net created    
>> >the patch below that implements net.key.prefered_oldsa when using      
>> >FAST_IPSEC.                                                            
>> 
>> Yep, this is particularly important when running IPSec against other
>> vendors' IPSec implementation. Many appear to prefer the new SA over the
>> old one.
>
>Of course.. If you prefer the old SA over teh new one and your peer is
>rebooted, then you can't talk to them until the old SA expires..

Actually you don't even need to reboot. The issue pops up already when a
new SA is negotiated, but one of the peers insists in using the old one
and the other insists on the new one. Yes, it *should* work in theory,
but often it doesn't. Seen with FreeBSD against Cisco devices, for
instance.

Helge


More information about the freebsd-hackers mailing list