On Sun, Dec 14, 2003 at 06:22:31PM +0100, Love wrote:
> 
> Hi
> 
> I just turned off opencrypto and suddenly all my problems I've had talking
> to my w2k test machine with rdesktop just vanished.
> 
> w2k sp4, racoon + kame ipsec, all fine
> w2k sp4, racoon + opencrypto ipsec, looses when the SA expire.
> 
> Doing "setkey -F ; ping -c 1 w2k-machine" seems to make it recover
> (sometimes)

Do you mean "opencrypto" or "fast IPsec"?  It's possible that either:

* the opencrypto userland interface is hosed, such that openssl is losing
  somehow (but this seems unlikely unless you have hardware accelleration)

* somehow racoon and fast_ipsec have their knickers in a twist about what
  to do on/with the PF_KEY socket when an SA expires.  That wouldn't
  surprise me _too_ much; I've seen this happen even with certain versions
  of racoon and certain versions of the KAME kernel code (it happens on
  MacOS X *all the time*).

Maybe you could test with isakmpd?

Thor