On Wed, Nov 13, 2002 at 04:09:26AM +0300, kuznet@ms2.inr.ac.ru wrote:

Hello!

quoted

   The problem with expiration remains unsolved.

Patch #2. Bert, this is supposed to fix the first strange phenomenon
in your experiment. But I still do not know what will happen after that.
Please, check.

Resolves strange larvals, thanks. Patch #1 works fine but changes nothing
for linux-linux IPSEC, if both have the patch. Scenario I see now:

Initial setup is wonderful, 10.0.0.11 and 10.0.0.216 setup SAs.

At the soft expiration, both ends renegotiate and UPDATE their *incoming*
SA, using pk_sendupdate which calls pfkey_send_update in libipsec.

The outgoing SA however is updated using pk_sendadd which calls
pfkey_send_add, which Linux hates because there is already an SA there.

I changed it to call pfkey_sendupdate and then everything works as intended.
You spotted this problem earlier, by the way.

This brings us to the point that everything I try works. Key rollover is now
completely seamless. My patch to racoon is really ugly as it now also uses
UPDATE to add the initial outbound SA, I can improve it if you want?

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO