From owner-freebsd-questions Mon Jan 27 4:25:47 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A41B37B401 for ; Mon, 27 Jan 2003 04:25:45 -0800 (PST) Received: from wartch.sapros.com (wartch.sapros.com [66.117.154.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77A8043E4A for ; Mon, 27 Jan 2003 04:25:44 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Received: from wartch.sapros.com (localhost [127.0.0.1]) by wartch.sapros.com (8.12.6/8.12.3) with ESMTP id h0RCPaLG001029 for ; Mon, 27 Jan 2003 04:25:37 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Message-Id: <200301271225.h0RCPaLG001029@wartch.sapros.com> To: freebsd-questions@freebsd.org Subject: FreeBSD IPSEC tunnel stoped working. Date: Mon, 27 Jan 2003 04:25:36 -0800 From: Peter Haight X-SMRazor: ok Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I had a FreeBSD IPSEC tunnel set up between two machines that stopped working when I upgraded one of the machines to a newer version of 4.7-STABLE. I'm not sure what the problem is. When I watch the packets on the outside interfaces, I see the packet go out from one host, the older (4.7-RELEASE) machine replies, but the new one never moves that reply packet back across the tunnel. 'netstat -sn -p ipsec' is reporting that packets are "violating process security policy". I'm pretty sure that is the problem, but I'm not sure what that means. Here's setkey -DP (4.7-STABLE): 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 netstat -sn -p ipsec (4.7-STABLE): ipsec: 1688 inbound packets processed successfully 1682 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: blowfish-cbc: 1688 588 outbound packets processed successfully 0 outbound packets violated process security policy 11 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: blowfish-cbc: 588 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message