From owner-freebsd-stable@FreeBSD.ORG  Tue Dec 30 05:50:38 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8A845D51
 for <freebsd-stable@freebsd.org>; Tue, 30 Dec 2014 05:50:38 +0000 (UTC)
Received: from mail13.tpgi.com.au (smtp-out13.tpgi.com.au [220.244.226.123])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0875A1ABE
 for <freebsd-stable@freebsd.org>; Tue, 30 Dec 2014 05:50:36 +0000 (UTC)
X-TPG-Junk-Status: Message not scanned
X-TPG-Antivirus: Passed
X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54;
 date=Tue, 30 Dec 2014 16:32:52 +1100
Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au
 [202.161.115.54] (may be forged))
 by mail13.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with
 ESMTP id sBU5WoLQ004415
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <freebsd-stable@freebsd.org>; Tue, 30 Dec 2014 16:32:52 +1100
Received: from ip-211.ish.com.au ([203.29.62.211]:57957 helo=ish.com.au)
 by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX)
 (envelope-from <ari@ish.com.au>)
 id 1Y5pQB-0000r3-0T; Tue, 30 Dec 2014 16:32:43 +1100
Received: from [10.242.2.6] (HELO Aristedess-MacBook-Pro.local)
 by ish.com.au (CommuniGate Pro SMTP 6.1c1)
 with ESMTPS id 17934617; Tue, 30 Dec 2014 16:32:42 +1100
Message-ID: <54A238F9.7040701@ish.com.au>
Date: Tue, 30 Dec 2014 16:32:41 +1100
From: Aristedes Maniatis <ari@ish.com.au>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:34.0) Gecko/20100101 Thunderbird/34.0
MIME-Version: 1.0
To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
Subject: Re: ipsec routing issue
References: <54A17F33.2020708@ish.com.au>
 <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net>
 <54A1ED2F.2070305@heuristicsystems.com.au>
In-Reply-To: <54A1ED2F.2070305@heuristicsystems.com.au>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 05:50:38 -0000

On 30/12/2014 11:09am, Dewayne Geraghty wrote:
> # These remain the same on the two end-points
> add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc
> "from_here_to_there12345 *";
> add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc
> "from_there_to_here 12345&";

I've never done anything like this, just spdadd lines... none of the docs I've found say to do this. I understand that this adds entries to the Security Association Database, which sounds like a union for security people.

When I look at the result of "setkey -D" I get 12 entries, so it seems that something is there already. Looks like I get a set of three entries for each tunnel, for each direction.

202.161.111.54 202.127.223.110
	ipcomp mode=tunnel spi=32898(0x00008082) reqid=16394(0x0000400a)
	C: deflate 	seq=0x00000000 replay=0 flags=0x00000080 state=mature
	created: Dec 30 15:33:39 2014	current: Dec 30 16:26:14 2014
	diff: 3155(s)	hard: 14400(s)	soft: 11120(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=2 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
	ipcomp mode=tunnel spi=49151(0x0000bfff) reqid=16394(0x0000400a)
	C: deflate 	seq=0x00000000 replay=0 flags=0x00000080 state=mature
	created: Dec 30 15:33:29 2014	current: Dec 30 16:26:14 2014
	diff: 3165(s)	hard: 14400(s)	soft: 11120(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
	esp mode=tunnel spi=229368149(0x0dabe155) reqid=0(0x00000000)
	E: blowfish-cbc  0c9e4d52 f7550f65 f5000990 5597db6e
	A: hmac-sha1  dd05d1b2 78f43bcb 56bc7d5d 60c7c9bc 918f2c2a
	seq=0x00001483 replay=4 flags=0x00000000 state=mature
	created: Dec 30 15:33:29 2014	current: Dec 30 16:26:14 2014
	diff: 3165(s)	hard: 14400(s)	soft: 11120(s)
	last: Dec 30 16:26:14 2014	hard: 0(s)	soft: 0(s)
	current: 421280(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 5251	hard: 0	soft: 0
	sadb_seq=0 pid=38134 refcnt=1

Am I expecting to see "C: deflate" in here twice?



(again, like the other emails, I've changed a a few IP addresses to obfuscate the real servers, but I changed them the same way as in the other email).


Thanks for your help

Ari


-- 
-------------------------->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A