[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] IPSec and out-of-order delivery
From: JL <ipsec-tools () rrod ! net>
Date: 2011-04-27 10:18:09
Message-ID: BANLkTimPt9Vm-qdMuOrwXqnfZfKPtGkCfg () mail ! gmail ! com
[Download RAW message or body]
Hi Yvan,
On 26 April 2011 14:59, VANHULLEBUS Yvan <vanhu@free.fr> wrote:
> On Tue, Apr 26, 2011 at 02:48:39PM +0100, JL wrote:
>> Hi Yvan,
> [...]
>> That looks like a strong contender for the problem. Now that I know
>> what to look for, I can see "replay=4" in the Policy Database.
>
>
> That's the default value, IIRC.
> Please note that this is the size (in bytes) of a bitfield, so the
> replay windows keeps the state of 32 last received packets.
>
>
>> My next question is, how do I change that?
>
> I don't think this can be actually configured in racoon.conf...
>
> Either change it at compile time for your specific needs, or fell free
> to provide us a patch to have a (per peer/sainfo if possible)
> configurable replay window size.
Damn :(
I've worked up a patch to just change the hardcoded value (for future
reference by anyone reading this, I have pasted the patch to
0.6.5-13.el5_3.1 at the bottom of this email) but it may be a while
before I can get it onto live systems (one end has >100 VPNs).
I'm going to try to get our dev team to take up writing the proper
patch, but I'm not holding my breath :)
Thank-you very much for your help. I could have spent a lot of time
staring at this, and not gotten it. You have pointed me at exactly
what I needed to know.
>
>
> Yvan.
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>
--
Jarrod Lowe
--- ipsec-tools-0.6.5/src/racoon/pfkey.c.orig 2011-04-26
11:21:03.604587490 -0400
+++ ipsec-tools-0.6.5/src/racoon/pfkey.c 2011-04-26 11:21:26.374588340 -0400
@@ -1113,7 +1113,7 @@
u_int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
- u_int wsize = 4; /* XXX static size of window */
+ u_int wsize = 8; /* XXX static size of window */
int proxy = 0;
struct ph2natt natt;
u_int8_t ctxdoi = 0, ctxalg = 0;
@@ -1460,7 +1460,7 @@
u_int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
- u_int wsize = 4; /* XXX static size of window */
+ u_int wsize = 8; /* XXX static size of window */
int proxy = 0;
struct ph2natt natt;
u_int8_t ctxdoi = 0, ctxalg = 0;
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic