>i currently use IPSEC to protect my experimental VPN links. While playing around
>i experienced an annoying feature.
>When a machine reboots (or racoon re-starts) it only has the newly
>negotiated SAs while the other machine now has the old AND the new SAs.
>As IPSEC picks the old SAs for outgoing packets the sent packets
>are bound for the bit bucket at their destination as no matching SA
>is known. Things clear up when the old SAs time out. 
>Is there any config parameter to improve that behaviour that i have missed?
>Do the RFC state any comment on that situation (i haven't looked through
>them yet...)

	the kernel uses the old SA based on recommendations in
	internet draft draft-jenkins-ipsec-rekeying.  when one side reboots,
	racoon should be able to notify the event by using "Initial Contact"
	bit and old SA should go away.

itojun