netbsd-bugs: Re: bin/28922: racoon leaves old SA's in kernel

Subject: Re: bin/28922: racoon leaves old SA's in kernel
To: Kimmo Suominen <kim@tac.nyc.ny.us>
From: =?ISO-2022-JP?B?GyRCJF8kTiQmJGkbKEIgGyRCJF4bKEI=?= =?ISO-2022-JP?B?GyRCJDMkSBsoQg==?= <makoto@hauN.org>
List: netbsd-bugs
Date: 01/10/2005 15:39:03

|> In <20050110035604.GT12963@kimmo.suominen.com>
|>   Kimmo Suominen <kim@tac.nyc.ny.us> wrote:

> This seems to result in traffic being discarded by the receiver, which
> no longer has the old keys used by the sender.

I had this problem when I was using IPsec between NetBSD and Windows.

In racoon.conf(5)
>                     even when an new SA was established.  The KAME stack has
>                     the switch in the system wide value, net.key.pre-
>                     ferred_oldsa.  when the value is zero, the stack always
>                     use an new SA.

Apperently KAME-based NetBSD stack != KAME stack here...
(FAST_IPSEC seems to have this though...)

-- 
Minoura Makoto <makoto@hauN.org>