Subject: Re: IPSEC still fails on BETA2/vax
To: Olaf Seibert <>
From: None <>
List: current-users
Date: 07/10/2002 08:16:10
>> 	sorry, i checked your original posting.  could you check where the
>> 	kernel code is returning EINVAL in UPDATE message handling?  it should
>> 	be somewhere inside sys/netkey/*.c (some printfs should do it).
>I added some printf() calls in sys/netkey/key.c in the function
>key_update(). Now I get this on my console (racoon output mixed with
>kernel output).  I show the spi from the kernel messages and the one
>other occurrance of it. Could it be some time-out because there is such
>a long time (1 minute 21 seconds) between these parts?

	now i see you problem.  yes, your machine is too slow to do D-H by
	racoon.  kernel asks for a new key by ACQUIRE message, keeping the
	information as SAD entry with "larval" state.  the kernel waits
	for the key to be installed for 30 seconds
	on your machine, by the time racoon tries to install the negotiated
	key by UPDATE message, the larval SAD entry is gone.

	try raising net.key.larval_lifetime to 120 (or 300?) and see if it
	makes a difference.