Duplicate SAD entries lead to ESP tunnel malfunction
Julian Elischer
julian at elischer.org
Fri Jan 27 10:20:06 PST 2006
Oleg Tarasov wrote:
>Hello,
>
>VANHULLEBUS Yvan <vanhu_bsd at zeninc.net> wrote:
>
>
>
>>net.key.prefered_oldsa, or net.key.preferred_oldsa (changed since
>>4.X).
>>
>>
>
>
>
>>It is 1 by default, and it should be set to 0 to help better
>>interoperability with lots of peers.....
>>
>>
>
>This seems quite like correct solution. I analyzed behavior of the
>interface and saw upcoming ping requests (obviously) AND outgoing ping
>echoes, but remote host didn't get them. Obviously incoming packets
>were decrypted using one of SAs (the new one) but outgoing packets
>were encrypted using old SA which is not present on remote host due to
>some problems (like forced reboot, connection problems etc).
>
>
yes
let us know if that solves your problem..
remember you don't need to reboot to set it..
the result should be instantaneous.
>Normally in this case remote host must report of unknown spi, but
>rather it lacks this function or it just ignores these packets. As it
>is a hardware router I am unaware of its behavior.
>
>I will test this solution for some time but I am sure this will help.
>
>Thanx for really great help - all these troubles are on my production
>box and every minute of malfunction returns to me with #not good#
>words of my boss :/
>
>
>
More information about the freebsd-net
mailing list