From owner-freebsd-net@FreeBSD.ORG Tue Dec 30 09:44:29 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C843106566C for ; Tue, 30 Dec 2008 09:44:29 +0000 (UTC) (envelope-from nrml@att.net) Received: from web83813.mail.sp1.yahoo.com (web83813.mail.sp1.yahoo.com [69.147.85.89]) by mx1.freebsd.org (Postfix) with SMTP id 8BB028FC08 for ; Tue, 30 Dec 2008 09:44:29 +0000 (UTC) (envelope-from nrml@att.net) Received: (qmail 25698 invoked by uid 60001); 30 Dec 2008 09:44:29 -0000 X-YMail-OSG: zNGaGakVM1nH5Qz6ijDM9_im9OSa5rkvRJqVXaM491JnVE0ruVO9NUjtZnj56GLjaAR8w5yo8utIiTCCZ16YISzZ_oZ_DJSnHTtjQw9SUWMdRHII1Oe9vFFycTaaC4gEFJGpN3YtZ5qzTt47kWSRvrOfGS52bluAGP.F3KvRtR7ZiLXM0zdDj5EkqmWW.Q-- Received: from [69.43.143.172] by web83813.mail.sp1.yahoo.com via HTTP; Tue, 30 Dec 2008 01:44:29 PST X-Mailer: YahooMailRC/1155.45 YahooMailWebService/0.7.218.2 Date: Tue, 30 Dec 2008 01:44:29 -0800 (PST) From: Gabe To: "Bjoern A. Zeeb" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <258438.24300.qm@web83813.mail.sp1.yahoo.com> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2008 09:44:29 -0000 ----- Original Message ---- > From: Bjoern A. Zeeb > To: Gabe > Cc: freebsd-net@freebsd.org > Sent: Monday, December 29, 2008 2:25:32 PM > Subject: Re: +ipsec_common_input: no key association found for SA > > On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > > > On Mon, 29 Dec 2008, Gabe wrote: > > > >> This is what setkey -Da returns: > >> box# setkey -Da > >> Invalid extension type > >> Invalid extension type > >> box# > > > > you are running with the NAT-T patch (as I see you say further down). > > Try /usr/local/sbin/setkey -Da in that case. > > > One more thing; if you are comparing SPIs from the log with setkey, > you can also run > tcpdump -s 0 -vv -ln proto 50 > and it will show you something like > ... ESP(spi=0x12345678,seq=0x..), > so you could as well compare what you receive on the wire with what > you get in the log. This would help to eliminiate the case of a > promblematic patch. > > /bz > > -- > Bjoern A. Zeeb The greatest risk is not taking one. Thanks for the help on this. As far as the box-box2 mistake it was no typo. This is what I've changed it to: local server: flush; spdflush; spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec esp/tunnel/box-box2/unique; spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/box2-box/unique; and on the remote server: flush; spdflush; spdadd 192.168.20.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/box2-box/unique; spdadd 192.168.10.0/24 192.168.20.0/24 any -P in ipsec esp/tunnel/box-box2/unique; However I still get the ipsec_common message albeit not as often, it appears to only be when I restart racoon now. I also tried matching the SPIs but the SPIs given by setkey -Da did not match the ones on the log.