That's pretty interesting and the best I could come up with is that it would try to renegotiate an old SA. I would think the default should be to accept any new SA as normally you would want your newest one.
Thanks John -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 11:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Testing On 2/20/06, John Cianfarani <[EMAIL PROTECTED]> wrote: > Holy crap Batman! This might have fixed it. > Did a little bit of testing only with the pix as the remote client it > comes up after simulated power outages and builds the tunnel again > without issue. > Tested with long/short SA see how it reacts if SAs are expired and it > still comes up. > It actually seems pretty stable actually and pretty tough to make the > tunnel fail now. Good to hear. I just did a little research on that option...surprisingly it does the opposite of what I'd expect it to do. Setting preferred old sa in the web gui, sets the kernel sysctl net.key.preferred_oldsa=0, which means it prefers NEW SA's (which is a good thing). We'll kick it around and see what the best thing to do here is. > Will continue doing some testing to confirm. > > Thanks for the tip! No problem, glad that helped. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
