Subject: Re:
To: A. Priebe <apriebe@gmx.net>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-crypto
Date: 04/05/2006 22:39:47
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "A" == A Priebe <apriebe@gmx.net> writes:
    A> The problem shows up, when the IPsec SA reaches its soft limit
    A> (limits are by time, not by kBytes): As with other partners, a
    A> new SA (for each direction) is created and NOT used, until the
    A> hard limit is reached and the older SAs are deleted.  In this

  Well, the peer is free to use any SA that you have negotiated.

    A> period I see our ESP packages leaving the racoon host (with SPI
    A> from the "old" SA), but don't get any ESP answer from the other
    A> side.  I believe, that the other side simply ignores the ESP
    A> packages coming in with the "old" SPI. Unfortunately I have no
    A> posibility to carry out tests on the remote site :-(

  Did they send you a delete payload?
  The Cisco VPN3K is basically EOL.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRDR/coCLcPvd0N1lAQLbTQf+N7L8KkG95y4ishAesaiJq1t1J8pdUijY
CSnrOwcdKhE5vTVhqmCZgemHV01DZLAmyw2K89rq4XhI95VckAOsAjpyFQyEZ20m
m5Lf7KEMQYWZXNmYLgGY7VWizFh8dEC0tSsBEqnR7tr0JcSGX3FlEF7EPXaeDa4W
RvlHFzKHQ9Vr0SjdeOtCrIObS9PvUx8U5O27UMfNPeRJrT/NW3sZc67b4hpSJhNc
JgzVQ7RAA6BZ5gRaa/9Zwmu/4XpBaZwgOmeDvfV8Vjyj8v4MAG7CFy6BnQPq28GR
5AmJnHXuGHIt/fMO046A2OYNNLZcSqp4/MLbSOgI18+Z16FsAlJjiQ==
=Zkxi
-----END PGP SIGNATURE-----