IPsec HEADS UP for 2.2.1 users
-
When we removed the code for the "Prefer old SAs" option, which set the value to -30, I noticed it was no longer getting set to -30 but neglected to notice it was being set to 1, which is an alternate value for enabled. No one else noticed either unfortunately.
This is the cause of rekeying issues some of you have after upgrading to 2.2.1. 2.2.2 will be coming soon to fix this, but you can easily fix it in the mean time.
Go to System>Advanced, System Tunables tab, and add a new value there.
Name: net.key.preferred_oldsa
Value: 0Then save and apply changes. That immediately takes effect. That can stay there indefinitely, it won't impact anything post-upgrade with the proper fix.