On Wed, Nov 13, 2002 at 04:09:26AM +0300, kuznet@xxxxxxxxxxxxx wrote:
> > The problem with expiration remains unsolved.
> Patch #2. Bert, this is supposed to fix the first strange phenomenon
> in your experiment. But I still do not know what will happen after that.
> Please, check.
Resolves strange larvals, thanks. Patch #1 works fine but changes nothing
for linux-linux IPSEC, if both have the patch. Scenario I see now:
Initial setup is wonderful, 10.0.0.11 and 10.0.0.216 setup SAs.
At the soft expiration, both ends renegotiate and UPDATE their *incoming*
SA, using pk_sendupdate which calls pfkey_send_update in libipsec.
The outgoing SA however is updated using pk_sendadd which calls
pfkey_send_add, which Linux hates because there is already an SA there.
I changed it to call pfkey_sendupdate and then everything works as intended.
You spotted this problem earlier, by the way.
This brings us to the point that everything I try works. Key rollover is now
completely seamless. My patch to racoon is really ugly as it now also uses
UPDATE to add the initial outbound SA, I can improve it if you want?
http://www.PowerDNS.com Versatile DNS Software & Services
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO