transport mode IPSec with Windows 7, static keys
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Thu Oct 8 14:25:17 UTC 2015
Hi.
On Sat, Sep 26, 2015 at 08:30:57PM +0600, Victor Sudakov wrote:
[.....]
> The two sysctls:
>
> net.key.preferred_oldsa=0
When there are more than one SA available (most common case is when a
new SA is keyed as the old one becomes near to end of life), this
sysctl tells the kernel which one to use.
Old IKEv1 RFC says to use the older one (sysctl set to 1), but most
implementations uses the newest as soon as it is available (sysctl set
to 0).
Having to tweak that for peer reboot situations probably means that
windows'IKE daemon does not send a correct DELETE_SA, or it is not
properly handled on FreeBSD side for some unknown reason.
> net.key.blockacq_count=0
Basically, blockacq is a mechanism to avoid sending a keying request
to IKE daemon for each packet which should be tunneled (you may have a
lot of such packets during negociation time).
Setting this sysctl to 0 will disable this feature, and setting it to
a low value may have the same result in your setup.
This will generate faster keying requests, but may overload IKE daemon
during rekeying (each request from the kernel has to be read and
handled).
> seem to fix the reboot problem. Could anyone explain the mechanism? I
> have never had to tweak them to get IPsec working between FreeBSD hosts.
Yvan.
More information about the freebsd-net
mailing list