On Thu, 15 Dec 2005, David S. Miller wrote:
1) I don't understand how a routing cache flush "fixes" the problem.
The routing cache flush only marks non-IPSEC cached routes as
invalid, not IPSEC ones.
New IPsec SA is used for communication between new src/dst (previously
unseend) pair even if old SA exist. Only communication for src/dst, which
was previously active, is stucked with old SA.
I was also surprised that routing cache flush helps but it really works
and I have used this "workaround" for more than three months.
It looks like XFRM caches that information, so kernel does need to search
whole SADB for each packet and this is the reason why usage of old SA is
observed. This is my theory only, someone who wrote XFRM probably knows
this for sure.
Best regards,
Krzysztof Olędzki
