i know there's been some debate on this... but what is the current thinking in the light of any possible changes to KAME?
the problem is that classic one: two ipsec hosts negotiate keys.. one's a server, one's a client... establish SAs and all is well. now, if one ike daemon is gracefully pulled down it sends a delete to itself and the other host, clearing the spds and sad entries... all is fine too. (i'm using isakmpd). now - what __should__ happen if one of the hosts, client or server, is ungracefully rebooted... should the server NOT respond to a new phase 1 negotiation? ... or should it waiut till the full phase 1 time out which could be 8 hours or more!!! or should it accept the new negotiation? i think (i may be wrong) that freebsd4.4r does accept new negotiations, and new entries are placed in the sad BUT: the machine accapts new SPI streams... but sends back old-SPI streams... confusing the rebooted machine. any light on this? tariq intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
