Date: Thu, 8 Oct 2015 16:18:48 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: transport mode IPSec with Windows 7, static keys Message-ID: <20151008141847.GA28325@zeninc.net> In-Reply-To: <20150926143057.GA88375@admin.sibptus.tomsk.ru> References: <20150922084111.GA89385@admin.sibptus.tomsk.ru> <20150925064234.GA63016@admin.sibptus.tomsk.ru> <20150926143057.GA88375@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. On Sat, Sep 26, 2015 at 08:30:57PM +0600, Victor Sudakov wrote: [.....] > The two sysctls: > > net.key.preferred_oldsa=0 When there are more than one SA available (most common case is when a new SA is keyed as the old one becomes near to end of life), this sysctl tells the kernel which one to use. Old IKEv1 RFC says to use the older one (sysctl set to 1), but most implementations uses the newest as soon as it is available (sysctl set to 0). Having to tweak that for peer reboot situations probably means that windows'IKE daemon does not send a correct DELETE_SA, or it is not properly handled on FreeBSD side for some unknown reason. > net.key.blockacq_count=0 Basically, blockacq is a mechanism to avoid sending a keying request to IKE daemon for each packet which should be tunneled (you may have a lot of such packets during negociation time). Setting this sysctl to 0 will disable this feature, and setting it to a low value may have the same result in your setup. This will generate faster keying requests, but may overload IKE daemon during rekeying (each request from the kernel has to be read and handled). > seem to fix the reboot problem. Could anyone explain the mechanism? I > have never had to tweak them to get IPsec working between FreeBSD hosts. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151008141847.GA28325>