Hi, Linux 2.6.11.10 ipsec-tools 0.6
Racoon calculates soft lifetime as 80% of lifetime. Cisco always uses 30s. When lifetime is 600s soft is 480s. In 480s racoon initiates new phase 2 negotiation. New IPsec-SA is established, but old exists and will be used for next 120s. After 30s cisco switches to new SA and drops packets cisco says: "decaps: rec'd IPSEC packet has invalid spi" During 90s cisco is blackhole ;/ On BSD stack, we have net.key.prefered-oldsa to tune kernel usage of old/new SA. There should be a similar configuration on Linux stack (or just always use new SA). How to confute linux to use new SA instead of old one? -- Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org/] [IRC:areq ICQ:16231667 GG:1383] [AP3-6BONE] [AP14126-RIPE] - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
