From owner-freebsd-net@FreeBSD.ORG Wed Sep 30 12:08:38 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBB381065679 for ; Wed, 30 Sep 2009 12:08:38 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 68ECB8FC1B for ; Wed, 30 Sep 2009 12:08:38 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 374892798BC; Wed, 30 Sep 2009 14:08:36 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 2D0721705D; Wed, 30 Sep 2009 14:08:23 +0200 (CEST) Date: Wed, 30 Sep 2009 14:08:23 +0200 From: VANHULLEBUS Yvan To: "Zaidi, Abbas" Message-ID: <20090930120822.GA73383@zeninc.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org, "Ansari, Fakhir" , "Khan, Fayyaz" Subject: Re: FreeBSD ipsec tunnel mode packet lost X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 12:08:38 -0000 On Wed, Sep 30, 2009 at 01:16:47PM +0200, Zaidi, Abbas wrote: > Hi Hi. > I am having this strange problem establishing tunnel between FreeBSD and > linux, my network setup is [the setup] > Once the SAs get negotiated I send a ping request from FreeBSDe to > Linuxe. The packets get an ipsec header applied at FreeBSDr reaches > Linuxe a reply to packet comes back at Link1::e interface of FreeBSDr > and then packet gets lost. > > I am not using gif. Do I need it? Probably not. > I don't think any thing is wrong with ipsec as the seq of both in and > out sa are incrementing on every echo request reply. please check output of "netstat -s" (mainly sections esp, ipsec6, ip6), and see if some counters increase for each dropped packet. [...] > There is one strange thing about security policies as of linux in case > of tunnel there are 3 policies added (in, out, fwd) where as in FreeBSD > it only shows 2 (in, out). This is specific to Linux's IPsec stack implementation, just forget anything related to "fwd"..... Yvan.