To: None <firstname.lastname@example.org>
From: A. Priebe <email@example.com>
Date: 04/03/2006 18:35:52
I have asked the following on netbsd-users already - unfortunately
got not one answer, so maybe anybody on this list may comment:
We are using racoon on NetBSD 3.0 to establish LAN-to-LAN VPNs
to different endpoints (IPsec, ESP, IKE, preshared keys). This
usually works fine, but recently we have problems with a connection
to a remote Cisco 3020 VPN concentrator.
The problem shows up, when the IPsec SA reaches its soft limit
(limits are by time, not by kBytes):
As with other partners, a new SA (for each direction) is created
and NOT used, until the hard limit is reached and the older SAs
In this period I see our ESP packages leaving the racoon host (with
SPI from the "old" SA), but don't get any ESP answer from the other side.
I believe, that the other side simply ignores the ESP packages
coming in with the "old" SPI. Unfortunately I have no posibility
to carry out tests on the remote site :-(
Is there anything I can do? Is the racoon behaviour "correct"?
In racoon.conf a sysctl net.key.preferred_oldsa is mentioned,
which maybe could help me.
Unfortunately such a sysctl doesn't seem to exist on NetBSD:
# /sbin/sysctl net.key.preferred_oldsa
sysctl: third level name 'preferred_oldsa' in 'net.key.preferred_oldsa' is
Additional question: What is the difference between ipsec-tools in
the base distribution and ipsec-tools in pkgsrc? Both seem to be
0.6.3 but obviously are very different (e.g. need different shared
Analog-/ISDN-Nutzer sparen mit GMX SmartSurfer bis zu 70%!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer