From owner-freebsd-net@FreeBSD.ORG Thu Jan 26 19:51:37 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5042816A420 for ; Thu, 26 Jan 2006 19:51:37 +0000 (GMT) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id D929A43D49 for ; Thu, 26 Jan 2006 19:51:36 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.17.229]) ([10.251.17.229]) by a50.ironport.com with ESMTP; 26 Jan 2006 11:51:36 -0800 Message-ID: <43D92848.2050005@elischer.org> Date: Thu, 26 Jan 2006 11:51:36 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.11) Gecko/20050727 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD MailList References: <83462512.20060126181018@osk.com.ua> In-Reply-To: <83462512.20060126181018@osk.com.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Duplicate SAD entries lead to ESP tunnel malfunction X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 19:51:37 -0000 Oleg Tarasov wrote: >Hello, > >I run FreeBSD 6.0 and installed latest ported version of ipsec-tools. > >A had to create two IPSEC tunnels to two different hosts. On one host >runs FreeBSD too, on another host is located hardware router DI-804HV >(D-Link). That router is supposed to support IPSEC tunnelling and >seems to work fine. > >When IPSEC tunnel is established two SAD entries are created - one per >direction. This is normal functioning. > >In my case sometimes there are two more created. Some connection >problem occurs causing both sides to reestablish tunnel. Both sides >report that tunnel is established successfully but no packets can pass >through tunnel. Dumping SAD entries using > setkey -D >shows that there are two SAD entries for both address pairs. > >How can this happen anyway? > >Flushing SAD entries helps tunnel to return its functionality - after >this tunnel is established successfully and works properly. > > There is a sysctl that can help this behaviour but I forget which something to do with ipsec and oldSAD or newSAD or something.. >========== > > >