On Sat, 09 Jul 2005 16:49:01 +0200, you wrote: >Arkadiusz Patyk wrote: >> Racoon calculates soft lifetime as 80% of lifetime. >> Cisco always uses 30s. >> When lifetime is 600s soft is 480s. >> >> In 480s racoon initiates new phase 2 negotiation. >> New IPsec-SA is established, but old exists and will >> be used for next 120s. >> >> After 30s cisco switches to new SA and drops packets >> cisco says: "decaps: rec'd IPSEC packet has invalid spi" >> During 90s cisco is blackhole ;/ >> >> On BSD stack, we have net.key.prefered-oldsa to tune kernel usage of >> old/new SA. There should be a similar configuration on Linux stack (or >> just always use new SA). >> >> How to confute linux to use new SA instead of old one? > >Linux does use the new SA when looking it up again, but it caches the >resolved bundles until an SA expires or is deleted. You could change >racoon to remove the old SA and thus behave similar to Cisco, but this >is wrong for multiple reasons. The other possibility is to flush all >cached bundles and resolve them again, but this is inefficient.
Why in linux stack not exists such as BSD net.key.prefered-oldsa ? >Are you sure you can't tell the Cisco to keep the old SA? As long as >its present and valid, it should still accept packets using it. I'm sure ;( -- Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org/] [IRC:areq ICQ:16231667 GG:1383] [AP3-6BONE] [AP14126-RIPE] - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
