Arkadiusz Patyk wrote:
Racoon calculates soft lifetime as 80% of lifetime.
Cisco always uses 30s.
When lifetime is 600s soft is 480s.
In 480s racoon initiates new phase 2 negotiation.
New IPsec-SA is established, but old exists and will
be used for next 120s.
After 30s cisco switches to new SA and drops packets
cisco says: "decaps: rec'd IPSEC packet has invalid spi"
During 90s cisco is blackhole ;/
On BSD stack, we have net.key.prefered-oldsa to tune kernel usage of
old/new SA. There should be a similar configuration on Linux stack (or
just always use new SA).
How to confute linux to use new SA instead of old one?
Linux does use the new SA when looking it up again, but it caches the
resolved bundles until an SA expires or is deleted. You could change
racoon to remove the old SA and thus behave similar to Cisco, but this
is wrong for multiple reasons. The other possibility is to flush all
cached bundles and resolve them again, but this is inefficient.
Are you sure you can't tell the Cisco to keep the old SA? As long as
its present and valid, it should still accept packets using it.
Regards
Patrick
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
