From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 31 11:00:29 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F29016A4CF for ; Wed, 31 Mar 2004 11:00:29 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01CA443D45 for ; Wed, 31 Mar 2004 11:00:29 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (sccrmhc11) with ESMTP id <2004033119002701100c9vece>; Wed, 31 Mar 2004 19:00:28 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA56753; Wed, 31 Mar 2004 11:00:26 -0800 (PST) Date: Wed, 31 Mar 2004 11:00:24 -0800 (PST) From: Julian Elischer To: Helge Oldach In-Reply-To: <200403310955.LAA21806@galaxy.hbg.de.ao-srv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-hackers@freebsd.org cc: Mike Tancsa Subject: Re: FAST_IPSEC bug fix X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 19:00:29 -0000 On Wed, 31 Mar 2004, Helge Oldach wrote: > Mike Tancsa: > >Well, its not totally a bug, but missing functionality that looks > >like is there but is not and is pretty important to keep lossy > >links functioning with IPSEC. My colleague gabor@sentex.net created > >the patch below that implements net.key.prefered_oldsa when using > >FAST_IPSEC. > > Yep, this is particularly important when running IPSec against other > vendors' IPSec implementation. Many appear to prefer the new SA over the > old one. Of course.. If you prefer the old SA over teh new one and your peer is rebooted, then you can't talk to them until the old SA expires.. This made our network untennable until this sysyctl was added. Every time a host was rebooted, all links that touched that host were down for up to 20 minutes (the SA expiry time we were using at that time) > > Actually this is the only issue that stopped me from going to > FAST_IPSEC. > > Please also note that the nam of the sysctl has been changed in -CURRENT > about six weeks ago to net.key.preferred_oldsa (double "r"). I would > suggest to change it for RELENG_4 also, but *only* for FAST_IPSEC. > > Helge > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >