Hello, VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
> net.key.prefered_oldsa, or net.key.preferred_oldsa (changed since > 4.X). > It is 1 by default, and it should be set to 0 to help better > interoperability with lots of peers..... This seems quite like correct solution. I analyzed behavior of the interface and saw upcoming ping requests (obviously) AND outgoing ping echoes, but remote host didn't get them. Obviously incoming packets were decrypted using one of SAs (the new one) but outgoing packets were encrypted using old SA which is not present on remote host due to some problems (like forced reboot, connection problems etc). Normally in this case remote host must report of unknown spi, but rather it lacks this function or it just ignores these packets. As it is a hardware router I am unaware of its behavior. I will test this solution for some time but I am sure this will help. Thanx for really great help - all these troubles are on my production box and every minute of malfunction returns to me with #not good# words of my boss :/ -- Best regards, Oleg Tarasov mailto:[EMAIL PROTECTED] _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
