Hi,

we are using racoon on NetBSD 3.0 to establish LAN-to-LAN VPNs
to different endpoints (IPsec, ESP, IKE, preshared keys). This
usually works fine, but recently we have problems with a connection
to a remote Cisco 3xxx VPN concentrator.

The problem shows up, when the IPsec SA reaches its soft limit
(limits are by time, not by kBytes):
As with other partners, a new SA (for each direction) is created
and NOT used, until the hard limit is reached and the older SAs
are deleted.
In this period I see our ESP packages leaving the racoon host (with
SPI from the "old" SA), but don't get any ESP answer from the other side.
I believe, that the other side simply ignores the ESP packages
coming in with the "old" SPI. Unfortunately I have no posibility
to carry out tests on the remote site :-(

Is there anything I can do? Is the racoon behaviour "correct"?

In racoon.conf a sysctl net.key.preferred_oldsa is mentioned,
which maybe could help me.
Unfortunately such a sysctl doesn't seem to exist on NetBSD:

# /sbin/sysctl net.key.preferred_oldsa
sysctl: third level name 'preferred_oldsa' in 'net.key.preferred_oldsa' is
invalid

Any hints?

TIA,

Andreas

-- 
Echte DSL-Flatrate dauerhaft für 0,- Euro*!
"Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl