Prefer old ipsec SAs
-
Running 2.0-RC2 (i386) built on Mon May 23 02:20:40 EDT 2011. I've got an IPsec tunnel that needs the prefer old IPsec SAs option to stay up and running. It was working fine on 1.2.3 but on 2.0 it doesn't seem to work.
thanks
-andy
-
Do I need to file a bug on this or anything? I've setup a 1.2.3 box for my VPN endpoints for the time being.
thanks
-andy -
Can you check
sysctl net.key.preferred_oldsa
With the option on and off, see if that changes for you.
-
With it enabled it reports
net.key.preferred_oldsa: -30
with it disabled it reports
net.key.preferred_oldsa: 0
thanks
-andy
-
Then it should be operating normally. If you're seeing some other issue, the IPsec logs might be helpful, and/or the setkey -D and setkey -DP output. It probably isn't the SA preferral.