Date: Tue, 30 Dec 2008 14:24:02 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Gabe <nrml@att.net> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA Message-ID: <20081230115445.A28465@maildrop.int.zabbadoz.net> In-Reply-To: <258438.24300.qm@web83813.mail.sp1.yahoo.com> References: <258438.24300.qm@web83813.mail.sp1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Tue, 30 Dec 2008, Gabe wrote:
>> One more thing; if you are comparing SPIs from the log with setkey,
>> you can also run
>> tcpdump -s 0 -vv -ln proto 50
>> and it will show you something like
>> ... ESP(spi=0x12345678,seq=0x..),
>> so you could as well compare what you receive on the wire with what
>> you get in the log. This would help to eliminiate the case of a
>> promblematic patch.
>
> However I still get the ipsec_common message albeit not as often, it
> appears to only be when I restart racoon now. I also tried matching the
> SPIs but the SPIs given by setkey -Da did not match the ones on the log.
Ok, can you try running the following script and see if the output
times match your racoon restarts or the log entries?
You need to set your interface and the tunnel endpoint IPs (as in box/box2).
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
[-- Attachment #2 --]
#!/bin/sh
INT=XXX
REMOTETUNNELENDPOINT=aaa.bbb.ccc.ddd
MYTUNNELENDPOINT=www.xxx.yyy.zzz
tcpdump -ln -i ${INT} -s0 src ${REMOTETUNNELENDPOINT} and dst ${MYTUNNELENDPOINT} and proto 50 | \
awk 'BEGIN { debug=1; spi="uninitialized"; }
{
if (!/ESP.spi=/) { next; }
sub("ESP.spi=", "", $6);
sub(",.*", "", $6);
if ($6 == "") { if (debug) { printf "DEBUG: %s\n", $0; } next; }
if (spi != $6) {
printf "%s SPI changed %s -> %s\n", $1, spi, $6;
spi=$6;
}
}'
# end
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081230115445.A28465>