From: JL <ips...@rr...> - 2011-04-27 10:18:17
|
Hi Yvan, On 26 April 2011 14:59, VANHULLEBUS Yvan <va...@fr...> wrote: > On Tue, Apr 26, 2011 at 02:48:39PM +0100, JL wrote: >> Hi Yvan, > [...] >> That looks like a strong contender for the problem. Now that I know >> what to look for, I can see "replay=4" in the Policy Database. > > > That's the default value, IIRC. > Please note that this is the size (in bytes) of a bitfield, so the > replay windows keeps the state of 32 last received packets. > > >> My next question is, how do I change that? > > I don't think this can be actually configured in racoon.conf... > > Either change it at compile time for your specific needs, or fell free > to provide us a patch to have a (per peer/sainfo if possible) > configurable replay window size. Damn :( I've worked up a patch to just change the hardcoded value (for future reference by anyone reading this, I have pasted the patch to 0.6.5-13.el5_3.1 at the bottom of this email) but it may be a while before I can get it onto live systems (one end has >100 VPNs). I'm going to try to get our dev team to take up writing the proper patch, but I'm not holding my breath :) Thank-you very much for your help. I could have spent a lot of time staring at this, and not gotten it. You have pointed me at exactly what I needed to know. > > > Yvan. > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > -- Jarrod Lowe --- ipsec-tools-0.6.5/src/racoon/pfkey.c.orig 2011-04-26 11:21:03.604587490 -0400 +++ ipsec-tools-0.6.5/src/racoon/pfkey.c 2011-04-26 11:21:26.374588340 -0400 @@ -1113,7 +1113,7 @@ u_int e_type, e_keylen, a_type, a_keylen, flags; u_int satype, mode; u_int64_t lifebyte = 0; - u_int wsize = 4; /* XXX static size of window */ + u_int wsize = 8; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; u_int8_t ctxdoi = 0, ctxalg = 0; @@ -1460,7 +1460,7 @@ u_int e_type, e_keylen, a_type, a_keylen, flags; u_int satype, mode; u_int64_t lifebyte = 0; - u_int wsize = 4; /* XXX static size of window */ + u_int wsize = 8; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; u_int8_t ctxdoi = 0, ctxalg = 0; |