From: Eugene M. Z. <em...@no...> - 2010-06-18 08:37:42
|
Hi. I use ipsec-tools on my VPN network, to connect multiple LANs across WAN. My usual setup is to use ah+esp in transport mode. I use 0.7.3 on FreeBSD 8.0. Sometimes when investigating connectivity problems I notice that in some cases (I don't know atm when exactly) racoon does install a pair of extra SA on one or (this is more often) two security gateway. That means that for A -> B ah+esp I normally should have one pair of ah and esp SA for each direction, but I have two pairs, and their timestamps are identical. And the connectivity problem happens when this extra pair of SA is present only on one host (and it can be solved by manual deletion of extra pair). Is this a setup problem or an ipsec-tools issue ? Live example, that is happening right now: ===Cut=== Both hosts normally have more tunnels (A has 10, and B has 2), but all tunnels have unique tunnel address pairs. There are some extra SA for others SP. The ones posted here are just one example. host А: SP: SA: 10.50.116.6 10.50.110.66 esp mode=transport spi=199093388(0x0bddec8c) reqid=0(0x00000000) E: blowfish-cbc 574be250 9716f225 4ab0682d de4b1330 A: hmac-md5 70cb0840 7d2d6206 a6d8bb66 14a5630c seq=0x00000239 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=33 pid=58939 refcnt=2 10.50.116.6 10.50.110.66 esp mode=transport spi=220392751(0x0d22ed2f) reqid=0(0x00000000) E: blowfish-cbc d6e4640f 82fdc4f3 9bfa73ed 9d6da903 A: hmac-md5 25fed815 25b1ef75 66f8edad 74e02e22 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=32 pid=58939 refcnt=1 10.50.116.6 10.50.110.66 ah mode=transport spi=164432954(0x09cd0c3a) reqid=0(0x00000000) A: hmac-md5 3f27b3a4 235ed5e4 e66d224c f7d5a44a seq=0x00000239 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:53 2010 hard: 0(s) soft: 0(s) current: 258408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 569 hard: 0 soft: 0 sadb_seq=31 pid=58939 refcnt=2 10.50.116.6 10.50.110.66 ah mode=transport spi=134525608(0x0804b2a8) reqid=0(0x00000000) A: hmac-md5 7c882b8c f6f9f998 93d85b1d a1c1649c seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=30 pid=58939 refcnt=1 10.50.110.66 10.50.116.6 esp mode=transport spi=238067289(0x0e309e59) reqid=0(0x00000000) E: blowfish-cbc 0fbf306f 332ce1d1 005d8446 aabe9fcd A: hmac-md5 9c86cd42 4629bba3 5a4f91e4 7921bab7 seq=0x000003a3 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:53 2010 hard: 0(s) soft: 0(s) current: 279700(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 931 hard: 0 soft: 0 sadb_seq=29 pid=58939 refcnt=1 10.50.110.66 10.50.116.6 esp mode=transport spi=66544371(0x03f762f3) reqid=0(0x00000000) E: blowfish-cbc e211c592 1c7e187f a023fa43 238c090a A: hmac-md5 3941c786 baf98d79 fb4c0d55 2d975537 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=28 pid=58939 refcnt=1 10.50.110.66 10.50.116.6 ah mode=transport spi=69184048(0x041faa30) reqid=0(0x00000000) A: hmac-md5 a34633c2 712d6c94 77b174cb e5976eb5 seq=0x000003a3 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:53 2010 hard: 0(s) soft: 0(s) current: 310688(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 931 hard: 0 soft: 0 sadb_seq=27 pid=58939 refcnt=1 10.50.110.66 10.50.116.6 ah mode=transport spi=201434608(0x0c01a5f0) reqid=0(0x00000000) A: hmac-md5 48f4e9e1 691c1c81 cace41ee 7aac082e seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:23 2010 current: Jun 18 13:48:01 2010 diff: 818(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=26 pid=58939 refcnt=1 B: SP: %setkey -DP 10.50.116.6[any] 10.50.110.66[any] gre in ipsec esp/transport/10.50.116.6-10.50.110.66/require ah/transport/10.50.116.6-10.50.110.66/require spid=1 seq=3 pid=7336 refcnt=1 10.50.110.66[any] 10.50.116.6[any] gre out ipsec esp/transport/10.50.110.66-10.50.116.6/require ah/transport/10.50.110.66-10.50.116.6/require spid=2 seq=1 pid=7336 refcnt=1 SA: 10.50.110.66 10.50.116.6 esp mode=transport spi=238067289(0x0e309e59) reqid=0(0x00000000) E: blowfish-cbc 0fbf306f 332ce1d1 005d8446 aabe9fcd A: hmac-md5 9c86cd42 4629bba3 5a4f91e4 7921bab7 seq=0x000003a3 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=7 pid=7335 refcnt=2 10.50.110.66 10.50.116.6 esp mode=transport spi=66544371(0x03f762f3) reqid=0(0x00000000) E: blowfish-cbc e211c592 1c7e187f a023fa43 238c090a A: hmac-md5 3941c786 baf98d79 fb4c0d55 2d975537 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=6 pid=7335 refcnt=1 10.50.110.66 10.50.116.6 ah mode=transport spi=69184048(0x041faa30) reqid=0(0x00000000) A: hmac-md5 a34633c2 712d6c94 77b174cb e5976eb5 seq=0x000003a3 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:54 2010 hard: 0(s) soft: 0(s) current: 333032(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 931 hard: 0 soft: 0 sadb_seq=5 pid=7335 refcnt=2 10.50.110.66 10.50.116.6 ah mode=transport spi=201434608(0x0c01a5f0) reqid=0(0x00000000) A: hmac-md5 48f4e9e1 691c1c81 cace41ee 7aac082e seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=4 pid=7335 refcnt=1 10.50.116.6 10.50.110.66 esp mode=transport spi=199093388(0x0bddec8c) reqid=0(0x00000000) E: blowfish-cbc 574be250 9716f225 4ab0682d de4b1330 A: hmac-md5 70cb0840 7d2d6206 a6d8bb66 14a5630c seq=0x00000237 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:55 2010 hard: 0(s) soft: 0(s) current: 225220(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 567 hard: 0 soft: 0 sadb_seq=3 pid=7335 refcnt=1 10.50.116.6 10.50.110.66 esp mode=transport spi=220392751(0x0d22ed2f) reqid=0(0x00000000) E: blowfish-cbc d6e4640f 82fdc4f3 9bfa73ed 9d6da903 A: hmac-md5 25fed815 25b1ef75 66f8edad 74e02e22 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=7335 refcnt=1 10.50.116.6 10.50.110.66 ah mode=transport spi=164432954(0x09cd0c3a) reqid=0(0x00000000) A: hmac-md5 3f27b3a4 235ed5e4 e66d224c f7d5a44a seq=0x00000237 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: Jun 18 13:47:55 2010 hard: 0(s) soft: 0(s) current: 244440(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 567 hard: 0 soft: 0 sadb_seq=1 pid=7335 refcnt=1 10.50.116.6 10.50.110.66 ah mode=transport spi=134525608(0x0804b2a8) reqid=0(0x00000000) A: hmac-md5 7c882b8c f6f9f998 93d85b1d a1c1649c seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 18 13:34:25 2010 current: Jun 18 13:47:58 2010 diff: 813(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=7335 refcnt=1 SP: % setkey -DP 10.50.110.66[any] 10.50.116.6[any] gre in ipsec esp/transport/10.50.110.66-10.50.116.6/require ah/transport/10.50.110.66-10.50.116.6/require spid=104 seq=14 pid=58986 refcnt=1 10.50.116.6[any] 10.50.110.66[any] gre out ipsec esp/transport/10.50.116.6-10.50.110.66/require ah/transport/10.50.116.6-10.50.110.66/require spid=103 seq=4 pid=58986 refcnt=1 ===Cut=== Thanks, Eugene. |
From: Dan M. <dan...@or...> - 2010-06-18 14:27:02
|
On Fri, Jun 18, 2010 at 01:58:14PM +0600, Eugene M. Zheganin wrote: > Sometimes when investigating connectivity problems I notice that in some > cases (I don't know atm when exactly) racoon does install a pair of > extra SA on one or (this is more often) two security gateway. That means > that for A -> B ah+esp I normally should have one pair of ah and esp SA > for each direction, but I have two pairs, and their timestamps are > identical. And the connectivity problem happens when this extra pair of > SA is present only on one host (and it can be solved by manual deletion > of extra pair). > > Is this a setup problem or an ipsec-tools issue ? It's possible that both hosts decided to initiate Quick Mode after an expiration of IPsec SAs. That would result in an extra pair. Dan |
From: Eugene M. Z. <em...@no...> - 2010-06-29 09:30:48
|
Hi. On 18.06.2010 20:25, Dan McDonald wrote: >> Sometimes when investigating connectivity problems I notice that in some >> cases (I don't know atm when exactly) racoon does install a pair of >> extra SA on one or (this is more often) two security gateway. That means >> that for A -> B ah+esp I normally should have one pair of ah and esp SA >> for each direction, but I have two pairs, and their timestamps are >> identical. And the connectivity problem happens when this extra pair of >> SA is present only on one host (and it can be solved by manual deletion >> of extra pair). >> >> Is this a setup problem or an ipsec-tools issue ? >> > It's possible that both hosts decided to initiate Quick Mode after an > expiration of IPsec SAs. That would result in an extra pair. > > I've just cured one tunnel(ah+esp/freebsd-cisco) by deleting one extra SA on the freebsd side. It was an ESP SA, and the tunnel started to work immidiately after that. So I'm thinking it's not that valid pair, it's something really sad. Below is the output from both sides. It was cured by this: setkey -f sad.rm sad.rm: delete 192.168.254.250 10.10.10.45 esp 0xf67d7bd1; delete 10.10.10.45 192.168.254.250 esp 0x09ab31a4; I should say one more thing: it looks to me like it's not happening all the time, but it happens when I'm configuring new tunnels, so it may really be old pairs of SA, but the question is why aren't they cleared by daemon, 'because they really interfere with the good SAs. Cisco: ===Cut=== interface: ATM0.1 Crypto map tag: norma-vpn-ike, local addr 10.10.10.45 protected vrf: (none) local ident (addr/mask/prot/port): (10.10.10.45/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.168.254.250/255.255.255.255/47/0) current_peer 192.168.254.250 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 4 local crypto endpt.: 10.10.10.45, remote crypto endpt.: 192.168.254.250 path mtu 1500, ip mtu 1500, ip mtu idb ATM0.1 current outbound spi: 0x700F669(117503593) inbound esp sas: spi: 0x429A2425(1117398053) transform: esp-des , in use settings ={Transport, } conn id: 2001, flow_id: C83X_MBRD:1, crypto map: norma-vpn-ike sa timing: remaining key lifetime (k/sec): (4604505/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: spi: 0x33BB2CB2(867904690) transform: ah-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: C83X_MBRD:1, crypto map: norma-vpn-ike sa timing: remaining key lifetime (k/sec): (4604505/3573) replay detection support: Y Status: ACTIVE inbound pcp sas: outbound esp sas: spi: 0x700F669(117503593) transform: esp-des , in use settings ={Transport, } conn id: 2002, flow_id: C83X_MBRD:2, crypto map: norma-vpn-ike sa timing: remaining key lifetime (k/sec): (4604504/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: spi: 0x536DF4A(87482186) transform: ah-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: C83X_MBRD:2, crypto map: norma-vpn-ike sa timing: remaining key lifetime (k/sec): (4604504/3569) replay detection support: Y Status: ACTIVE outbound pcp sas: dsl-gagar91# ===Cut=== FreeBSD/ipsec 0.7.3: ===Cut=== 192.168.254.250 10.10.10.45 esp mode=transport spi=1117398053(0x429a2425) reqid=0(0x00000000) E: des-cbc d1a4cc8e 901b3970 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 29 15:13:40 2010 current: Jun 29 15:14:19 2010 diff: 39(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=54 pid=30884 refcnt=1 192.168.254.250 10.10.10.45 esp mode=transport spi=4135418833(0xf67d7bd1) reqid=0(0x00000000) E: des-cbc 29970898 e1f6f2f3 seq=0x00000127 replay=4 flags=0x00000000 state=mature created: Jun 29 14:50:08 2010 current: Jun 29 15:14:19 2010 diff: 1451(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=53 pid=30884 refcnt=2 192.168.254.250 10.10.10.45 ah mode=transport spi=867904690(0x33bb2cb2) reqid=0(0x00000000) A: hmac-sha1 a529cf62 7b56aad4 0ba36b95 5d332128 83c3a008 seq=0x00000004 replay=4 flags=0x00000000 state=mature created: Jun 29 15:13:40 2010 current: Jun 29 15:14:19 2010 diff: 39(s) hard: 3600(s) soft: 2880(s) last: Jun 29 15:13:50 2010 hard: 0(s) soft: 0(s) current: 688(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4 hard: 0 soft: 0 sadb_seq=52 pid=30884 refcnt=2 10.10.10.45 192.168.254.250 esp mode=transport spi=117503593(0x0700f669) reqid=0(0x00000000) E: des-cbc da799645 58fe55b3 seq=0x00000008 replay=4 flags=0x00000000 state=mature created: Jun 29 15:13:40 2010 current: Jun 29 15:14:19 2010 diff: 39(s) hard: 3600(s) soft: 2880(s) last: Jun 29 15:14:09 2010 hard: 0(s) soft: 0(s) current: 920(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 8 hard: 0 soft: 0 sadb_seq=51 pid=30884 refcnt=1 10.10.10.45 192.168.254.250 esp mode=transport spi=162214308(0x09ab31a4) reqid=0(0x00000000) E: des-cbc d5ac0c4c 46d7eb95 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 29 14:50:08 2010 current: Jun 29 15:14:19 2010 diff: 1451(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=50 pid=30884 refcnt=1 10.10.10.45 192.168.254.250 ah mode=transport spi=87482186(0x0536df4a) reqid=0(0x00000000) A: hmac-sha1 73e5f68e d6b3add2 d4fb52a0 5e3bfb0d f3dba2bf seq=0x00000008 replay=4 flags=0x00000000 state=mature created: Jun 29 15:13:40 2010 current: Jun 29 15:14:19 2010 diff: 39(s) hard: 3600(s) soft: 2880(s) last: Jun 29 15:14:09 2010 hard: 0(s) soft: 0(s) current: 1112(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 8 hard: 0 soft: 0 sadb_seq=49 pid=30884 refcnt=1 10.10.10.45 192.168.254.250 ah mode=transport spi=231033133(0x0dc5492d) reqid=0(0x00000000) A: hmac-sha1 28d91061 ed705d03 79dcdc26 72abc947 1e42a210 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 29 14:50:08 2010 current: Jun 29 15:14:19 2010 diff: 1451(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=48 pid=30884 refcnt=1 ===Cut=== Eugene. |
From: Eugene M. Z. <em...@no...> - 2010-07-30 13:04:03
|
Hi. On 18.06.2010 20:25, Dan McDonald wrote: > On Fri, Jun 18, 2010 at 01:58:14PM +0600, Eugene M. Zheganin wrote: > >> Sometimes when investigating connectivity problems I notice that in some >> cases (I don't know atm when exactly) racoon does install a pair of >> extra SA on one or (this is more often) two security gateway. That means >> that for A -> B ah+esp I normally should have one pair of ah and esp SA >> for each direction, but I have two pairs, and their timestamps are >> identical. And the connectivity problem happens when this extra pair of >> SA is present only on one host (and it can be solved by manual deletion >> of extra pair). >> >> Is this a setup problem or an ipsec-tools issue ? >> > It's possible that both hosts decided to initiate Quick Mode after an > expiration of IPsec SAs. That would result in an extra pair. > > Dan > Today I found six (!) pairs of SA on a stuck tunnel. Other side had only two, as it should. 5 pairs on the bugged side were displayed with much older timestamps. Cisco and Juniper routers never end with more than required 2 pairs of SA under any circumstances, so, I'm definitely sure, the situation when ipsec-tools keeps old SA is sort of bug. Eugene. |
From: VANHULLEBUS Y. <va...@fr...> - 2010-07-30 15:07:45
|
On Fri, Jul 30, 2010 at 06:33:02PM +0600, Eugene M. Zheganin wrote: > Hi. Hi. [....] > Today I found six (!) pairs of SA on a stuck tunnel. Other side had only > two, as it should. 5 pairs on the bugged side were displayed with much > older timestamps. > > Cisco and Juniper routers never end with more than required 2 pairs of > SA under any circumstances, so, I'm definitely sure, the situation when > ipsec-tools keeps old SA is sort of bug. Keeping or deleting "old" SAs is not racoon's stuff, it's SADB's stuff, which is done by kernel. On BSDs, there is a sysctl which controls however older or newer SA should be used (and if set to newer, older ones are deleted), which is set by default to "use older". This is RFC compliant, but on this specific thing, RFC is wrong..... Yvan. |
From: Eugene M. Z. <em...@no...> - 2010-07-31 07:04:37
|
Hi. 30.07.2010 21:07, VANHULLEBUS Yvan пишет: > Keeping or deleting "old" SAs is not racoon's stuff, it's SADB's > stuff, which is done by kernel. > > On BSDs, there is a sysctl which controls however older or newer SA > should be used (and if set to newer, older ones are deleted), which is > set by default to "use older". > May be you remember what variable is it ? I've read man pages and grepped sysctl -a output assuming it's something *ipsec* or *sadb* but found nothing. Thanks. Eugene. |
From: Stephen C. <scl...@ea...> - 2010-07-31 22:09:10
|
On 07/31/2010 03:04 AM, Eugene M. Zheganin wrote: > Hi. > > 30.07.2010 21:07, VANHULLEBUS Yvan пишет: > >> Keeping or deleting "old" SAs is not racoon's stuff, it's SADB's >> stuff, which is done by kernel. >> >> On BSDs, there is a sysctl which controls however older or newer SA >> should be used (and if set to newer, older ones are deleted), which is >> set by default to "use older". >> >> > May be you remember what variable is it ? I've read man pages and > grepped sysctl -a output assuming it's something *ipsec* or *sadb* but > found nothing. > > Thanks. > > Eugene. > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > net.key.prefered_oldsa -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) |
From: Stefan B. <ste...@cu...> - 2010-08-01 19:04:13
|
Am 30.07.2010 17:07, VANHULLEBUS Yvan schrieb: > On BSDs, there is a sysctl which controls however older or newer SA > should be used (and if set to newer, older ones are deleted), which is > set by default to "use older". Anything similar to net.key.prefered_oldsa available on linux? Stefan -- Stefan Bauer ----------------------------------------- PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 -------- plzk.de - Linux - because it works ---------- |