Subject: None
To: None <>
From: A. Priebe <>
List: tech-crypto
Date: 04/03/2006 18:35:52

I have asked the following on netbsd-users already - unfortunately
got not one answer, so maybe anybody on this list may comment:

We are using racoon on NetBSD 3.0 to establish LAN-to-LAN VPNs
to different endpoints (IPsec, ESP, IKE, preshared keys). This
usually works fine, but recently we have problems with a connection
to a remote Cisco 3020 VPN concentrator.

The problem shows up, when the IPsec SA reaches its soft limit
(limits are by time, not by kBytes):
As with other partners, a new SA (for each direction) is created
and NOT used, until the hard limit is reached and the older SAs
are deleted.
In this period I see our ESP packages leaving the racoon host (with
SPI from the "old" SA), but don't get any ESP answer from the other side.
I believe, that the other side simply ignores the ESP packages
coming in with the "old" SPI. Unfortunately I have no posibility
to carry out tests on the remote site :-(

Is there anything I can do? Is the racoon behaviour "correct"?

In racoon.conf a sysctl net.key.preferred_oldsa is mentioned,
which maybe could help me.
Unfortunately such a sysctl doesn't seem to exist on NetBSD:

# /sbin/sysctl net.key.preferred_oldsa
sysctl: third level name 'preferred_oldsa' in 'net.key.preferred_oldsa' is

Any hints?

Additional question: What is the difference between ipsec-tools in
the base distribution and ipsec-tools in pkgsrc? Both seem to be
0.6.3 but obviously are very different (e.g. need different shared


Analog-/ISDN-Nutzer sparen mit GMX SmartSurfer bis zu 70%!
Kostenlos downloaden: