From owner-freebsd-net@FreeBSD.ORG  Wed Sep 30 12:08:38 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BBB381065679
	for <freebsd-net@freebsd.org>; Wed, 30 Sep 2009 12:08:38 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 68ECB8FC1B
	for <freebsd-net@freebsd.org>; Wed, 30 Sep 2009 12:08:38 +0000 (UTC)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id 374892798BC;
	Wed, 30 Sep 2009 14:08:36 +0200 (CEST)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id 2D0721705D; Wed, 30 Sep 2009 14:08:23 +0200 (CEST)
Date: Wed, 30 Sep 2009 14:08:23 +0200
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: "Zaidi, Abbas" <Abbas_Zaidi@mentor.com>
Message-ID: <20090930120822.GA73383@zeninc.net>
References: <A19AEE62D2942649A4C49BCD0878E421CB2CAD@eu2-mail.mgc.mentorg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <A19AEE62D2942649A4C49BCD0878E421CB2CAD@eu2-mail.mgc.mentorg.com>
User-Agent: All mail clients suck. This one just sucks less.
Cc: freebsd-net@freebsd.org, "Ansari, Fakhir" <Fakhir_Ansari@mentor.com>, "Khan,
	Fayyaz" <Fayyaz_Khan@mentor.com>
Subject: Re: FreeBSD ipsec tunnel mode packet lost
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2009 12:08:38 -0000

On Wed, Sep 30, 2009 at 01:16:47PM +0200, Zaidi, Abbas wrote:
> Hi

Hi.


> I am having this strange problem establishing tunnel between FreeBSD and
> linux, my network setup is
[the setup]
> Once the SAs get negotiated I send a ping request from FreeBSDe to
> Linuxe. The packets get an ipsec header applied at FreeBSDr reaches
> Linuxe a reply to packet comes back at Link1::e interface of FreeBSDr
> and then packet gets lost.
> 
> I am not using gif. Do I need it?

Probably not.


> I don't think any thing is wrong with ipsec as the seq of both in and
> out sa are incrementing on every echo request reply.

please check output of "netstat -s" (mainly sections esp, ipsec6,
ip6), and see if some counters increase for each dropped packet.


[...]
> There is one strange thing about security policies as of linux in case
> of tunnel there are 3 policies added (in, out, fwd) where as in FreeBSD
> it only shows 2 (in, out).

This is specific to Linux's IPsec stack implementation, just forget
anything related to "fwd".....


Yvan.