On Wed, Nov 13, 2002 at 11:46:40PM +0300, kuznet@xxxxxxxxxxxxx wrote:
> We traced all this today. It was not true reason of bad behaviour,
> real mistake was in absolutely different place. The patch (not incremental
> wrt patch of yesterday, so backout that one).
Done. http://ds9a.nl/ipsec now contains patches:
[TXT] 01-bypass-connect.diff 11-Nov-2002 08:59 16k
[TXT] 02-udp-bypass.diff 12-Nov-2002 15:14 2k
[TXT] 03-interop-breaks-compat.diff 13-Nov-2002 08:25 3k
[TXT] 04-larval-2.diff 13-Nov-2002 21:53 5k
When applied together, it now *really* works as intended :-)
> No, really. The trace showed another problem: one of them looks like
> a bug in racoon namely, after SA internal to IKE expires racoon
> does not initiate new connection to peer when some real kernel
I now see a proper soft expire, new SAs being setup, old SAs in state 'dying',
and traffic flowing nicely. Even with soft expire and no traffic, I see a
new SA being negotiated.
Until the old SAs die, I see linux sending with the old SPI, is that right?
http://www.PowerDNS.com Versatile DNS Software & Services
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO