Hi,

i currently use IPSEC to protect my experimental VPN links. While playing around
i experienced an annoying feature.
When a machine reboots (or racoon re-starts) it only has the newly
negotiated SAs while the other machine now has the old AND the new SAs.
As IPSEC picks the old SAs for outgoing packets the sent packets
are bound for the bit bucket at their destination as no matching SA
is known. Things clear up when the old SAs time out. 
Is there any config parameter to improve that behaviour that i have missed?
Do the RFC state any comment on that situation (i haven't looked through
them yet...)

Regards,
  Frank Kardel