Date: Tue, 30 Dec 2014 16:32:41 +1100 From: Aristedes Maniatis <ari@ish.com.au> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: ipsec routing issue Message-ID: <54A238F9.7040701@ish.com.au> In-Reply-To: <54A1ED2F.2070305@heuristicsystems.com.au> References: <54A17F33.2020708@ish.com.au> <AE3247B4-5692-4143-B8D4-3E5783C6F2CF@lists.zabbadoz.net> <54A1ED2F.2070305@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/12/2014 11:09am, Dewayne Geraghty wrote: > # These remain the same on the two end-points > add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc > "from_here_to_there12345 *"; > add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc > "from_there_to_here 12345&"; I've never done anything like this, just spdadd lines... none of the docs I've found say to do this. I understand that this adds entries to the Security Association Database, which sounds like a union for security people. When I look at the result of "setkey -D" I get 12 entries, so it seems that something is there already. Looks like I get a set of three entries for each tunnel, for each direction. 202.161.111.54 202.127.223.110 ipcomp mode=tunnel spi=32898(0x00008082) reqid=16394(0x0000400a) C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature created: Dec 30 15:33:39 2014 current: Dec 30 16:26:14 2014 diff: 3155(s) hard: 14400(s) soft: 11120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=38134 refcnt=1 202.161.111.54 202.127.223.110 ipcomp mode=tunnel spi=49151(0x0000bfff) reqid=16394(0x0000400a) C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature created: Dec 30 15:33:29 2014 current: Dec 30 16:26:14 2014 diff: 3165(s) hard: 14400(s) soft: 11120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=38134 refcnt=1 202.161.111.54 202.127.223.110 esp mode=tunnel spi=229368149(0x0dabe155) reqid=0(0x00000000) E: blowfish-cbc 0c9e4d52 f7550f65 f5000990 5597db6e A: hmac-sha1 dd05d1b2 78f43bcb 56bc7d5d 60c7c9bc 918f2c2a seq=0x00001483 replay=4 flags=0x00000000 state=mature created: Dec 30 15:33:29 2014 current: Dec 30 16:26:14 2014 diff: 3165(s) hard: 14400(s) soft: 11120(s) last: Dec 30 16:26:14 2014 hard: 0(s) soft: 0(s) current: 421280(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5251 hard: 0 soft: 0 sadb_seq=0 pid=38134 refcnt=1 Am I expecting to see "C: deflate" in here twice? (again, like the other emails, I've changed a a few IP addresses to obfuscate the real servers, but I changed them the same way as in the other email). Thanks for your help Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A238F9.7040701>