> > the freebsd's ipsec stack always uses old SA when there are some SAs for > > the communication. so the other side system used old SA even when the one > > had new SA. > With that I can fix my case. Is there a special reason to > default to the old one, because that breaks rebooting systems, doesn't it?
if new SA was used, when the system installed SA, but the other system hadn't installed SA yet, some packet would be lost. when the system rebooted, it would caused the problem as you said. you can get more information from draft-jenkins-ipsec-rekeying-06.txt. although this draft has expired already, you can get from the Internet somewhere. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
