From owner-freebsd-net@freebsd.org Thu Oct 8 14:25:17 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 974139D0DF8 for ; Thu, 8 Oct 2015 14:25:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1CBDAFDE for ; Thu, 8 Oct 2015 14:25:16 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id 5C2072798C4 for ; Thu, 8 Oct 2015 16:18:48 +0200 (CEST) Received: by nono (Postfix, from userid 1000) id 3FC572186E; Thu, 8 Oct 2015 16:18:48 +0200 (CEST) Date: Thu, 8 Oct 2015 16:18:48 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Subject: Re: transport mode IPSec with Windows 7, static keys Message-ID: <20151008141847.GA28325@zeninc.net> References: <20150922084111.GA89385@admin.sibptus.tomsk.ru> <20150925064234.GA63016@admin.sibptus.tomsk.ru> <20150926143057.GA88375@admin.sibptus.tomsk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150926143057.GA88375@admin.sibptus.tomsk.ru> User-Agent: All mail clients suck. This one just sucks less. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 14:25:17 -0000 Hi. On Sat, Sep 26, 2015 at 08:30:57PM +0600, Victor Sudakov wrote: [.....] > The two sysctls: > > net.key.preferred_oldsa=0 When there are more than one SA available (most common case is when a new SA is keyed as the old one becomes near to end of life), this sysctl tells the kernel which one to use. Old IKEv1 RFC says to use the older one (sysctl set to 1), but most implementations uses the newest as soon as it is available (sysctl set to 0). Having to tweak that for peer reboot situations probably means that windows'IKE daemon does not send a correct DELETE_SA, or it is not properly handled on FreeBSD side for some unknown reason. > net.key.blockacq_count=0 Basically, blockacq is a mechanism to avoid sending a keying request to IKE daemon for each packet which should be tunneled (you may have a lot of such packets during negociation time). Setting this sysctl to 0 will disable this feature, and setting it to a low value may have the same result in your setup. This will generate faster keying requests, but may overload IKE daemon during rekeying (each request from the kernel has to be read and handled). > seem to fix the reboot problem. Could anyone explain the mechanism? I > have never had to tweak them to get IPsec working between FreeBSD hosts. Yvan.