From owner-freebsd-net@FreeBSD.ORG Thu Oct 1 08:00:39 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8133D106568B for ; Thu, 1 Oct 2009 08:00:39 +0000 (UTC) (envelope-from Abbas_Zaidi@mentor.com) Received: from relay1.mentorg.com (relay1.mentorg.com [192.94.38.131]) by mx1.freebsd.org (Postfix) with ESMTP id 65A288FC08 for ; Thu, 1 Oct 2009 08:00:38 +0000 (UTC) Received: from nat-dem.mentorg.com ([139.181.124.2] helo=eu2-mail.mgc.mentorg.com) by relay1.mentorg.com with esmtp id 1MtGac-0001az-1b from Abbas_Zaidi@mentor.com ; Thu, 01 Oct 2009 01:00:38 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 1 Oct 2009 10:00:35 +0200 Message-ID: In-Reply-To: <20090930120822.GA73383@zeninc.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD ipsec tunnel mode packet lost Thread-Index: AcpBxsPaAQUAysVUTtO8HTpihzBuagApddVw From: "Zaidi, Abbas" To: "VANHULLEBUS Yvan" Cc: freebsd-net@freebsd.org, "Ansari, Fakhir" , "Khan, Fayyaz" Subject: RE: FreeBSD ipsec tunnel mode packet lost X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 08:00:39 -0000 Thanks Yvan for the help The problem got solved by changing the in security policy, on SGW, from ipsec level require to use, but I'm still not clear what the real issue was. Why we can't use require on it. Thanks,=20 -----Original Message----- From: VANHULLEBUS Yvan [mailto:vanhu@FreeBSD.org]=20 Sent: Wednesday, September 30, 2009 6:08 PM To: Zaidi, Abbas Cc: freebsd-net@freebsd.org; Ansari, Fakhir; Khan, Fayyaz Subject: Re: FreeBSD ipsec tunnel mode packet lost On Wed, Sep 30, 2009 at 01:16:47PM +0200, Zaidi, Abbas wrote: > Hi Hi. > I am having this strange problem establishing tunnel between FreeBSD and > linux, my network setup is [the setup] > Once the SAs get negotiated I send a ping request from FreeBSDe to > Linuxe. The packets get an ipsec header applied at FreeBSDr reaches > Linuxe a reply to packet comes back at Link1::e interface of FreeBSDr > and then packet gets lost. >=20 > I am not using gif. Do I need it? Probably not. > I don't think any thing is wrong with ipsec as the seq of both in and > out sa are incrementing on every echo request reply. please check output of "netstat -s" (mainly sections esp, ipsec6, ip6), and see if some counters increase for each dropped packet. [...] > There is one strange thing about security policies as of linux in case > of tunnel there are 3 policies added (in, out, fwd) where as in FreeBSD > it only shows 2 (in, out). This is specific to Linux's IPsec stack implementation, just forget anything related to "fwd"..... Yvan.