On Tue, Nov 12, 2002 at 06:29:06PM +0300, kuznet@ms2.inr.ac.ru wrote:

Hello!

quoted

quoted

The problem with expiration remains unsolved. I still cannot reproduce this
and cannot find a situation when kernel can create two larvals with one
identity. :-( Searching.

Sure you saw that? I only saw the one larval in the output I sent you,

Sure, unless my sick cisco router corrupts mails. But I hope it is not
so malicious. :-)

Joke aparts, of course, I did not see this, it exists for short time,
you see one of them already grown to mature.

I've made a movie, the output of: 
while true; do date ; sudo download/kametools/setkey/setkey -D ; done > logs

Please find it attached.

This corresponds to:
20:01:43: INFO: isakmp.c:1689:isakmp_post_acquire(): IPsec-SA
request for 10.0.0.11 queued due to no phase1 found.
20:01:43: INFO: isakmp.c:794:isakmp_ph1begin_i(): initiate new
phase 1 negotiation: 10.0.0.216[500]<=>10.0.0.11[500]
20:01:43: INFO: isakmp.c:799:isakmp_ph1begin_i(): begin
Aggressive mode.
20:01:43: INFO: vendorid.c:128:check_vendorid(): received Vendor
ID: KAME/racoon
20:01:43: NOTIFY: oakley.c:2037:oakley_skeyid(): couldn't find
the proper pskey, try to get one by the peer's address.
20:01:43: INFO: isakmp.c:2417:log_ph1established(): ISAKMP-SA
established 10.0.0.216[500]-10.0.0.11[500]
spi:abf1baea48b9c16d:e422bce8c6b9f015
20:01:44: INFO: isakmp.c:938:isakmp_ph2begin_i(): initiate new
phase 2 negotiation: 10.0.0.216[0]<=>10.0.0.11[0]
20:01:44: INFO: pfkey.c:1106:pk_recvupdate(): IPsec-SA
established: ESP/Transport 10.0.0.11->10.0.0.216 spi=251701380(0xf00a884)
20:01:44: INFO: pfkey.c:1318:pk_recvadd(): IPsec-SA established:
ESP/Transport 10.0.0.216->10.0.0.11 spi=43499516(0x297bffc)

20:02:13: INFO: pfkey.c:1364:pk_recvexpire(): IPsec-SA expired:
ESP/Transport 10.0.0.216->10.0.0.11 

Note how it changes very nearly atomically.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO