From owner-freebsd-net@FreeBSD.ORG Wed Dec 31 07:56:16 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF440106566C for ; Wed, 31 Dec 2008 07:56:16 +0000 (UTC) (envelope-from nrml@att.net) Received: from web83811.mail.sp1.yahoo.com (web83811.mail.sp1.yahoo.com [69.147.85.85]) by mx1.freebsd.org (Postfix) with SMTP id 9BDC48FC1B for ; Wed, 31 Dec 2008 07:56:16 +0000 (UTC) (envelope-from nrml@att.net) Received: (qmail 14959 invoked by uid 60001); 31 Dec 2008 07:56:16 -0000 X-YMail-OSG: ruUzrs4VM1n5yU6dOb.Wyftx2NipCsh1P9KWXXiNOpWBDJzopgfsD3M2piNmVurz.6oYzVVLTL5__t3.B.ltKS9M9choKwIxBIFTp5tMZs4hJxFAPBoh4iipXLjgajnxfGzFGuJBYSB2syWwxZ6bES6hjcepYAEedAYpkzuGVG7p39o4FTkWpJyiPjH3Zt4nnufcdLRiDvE6w_.QXn0S0YV_FuvZ Received: from [69.43.143.172] by web83811.mail.sp1.yahoo.com via HTTP; Tue, 30 Dec 2008 23:56:16 PST X-Mailer: YahooMailWebService/0.7.218.2 Date: Tue, 30 Dec 2008 23:56:16 -0800 (PST) From: Gabe To: "Bjoern A. Zeeb" In-Reply-To: <20081230115445.A28465@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <480896.12029.qm@web83811.mail.sp1.yahoo.com> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nrml@att.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2008 07:56:16 -0000 > From: Bjoern A. Zeeb > Subject: Re: +ipsec_common_input: no key association found for SA > To: "Gabe" > Cc: freebsd-net@freebsd.org > Date: Tuesday, December 30, 2008, 6:24 AM > On Tue, 30 Dec 2008, Gabe wrote: > > >> One more thing; if you are comparing SPIs from the > log with setkey, > >> you can also run > >> tcpdump -s 0 -vv -ln proto 50 > >> and it will show you something like > >> ... ESP(spi=0x12345678,seq=0x..), > >> so you could as well compare what you receive on > the wire with what > >> you get in the log. This would help to eliminiate > the case of a > >> promblematic patch. > > > > However I still get the ipsec_common message albeit > not as often, it > > appears to only be when I restart racoon now. I also > tried matching the > > SPIs but the SPIs given by setkey -Da did not match > the ones on the log. > > Ok, can you try running the following script and see if the > output > times match your racoon restarts or the log entries? > > You need to set your interface and the tunnel endpoint IPs > (as in box/box2). > > /bz I restarted racoon and cleared out the keys then I ran the script which returned: on BOX: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 23:51:13.032336 SPI changed uninitialized -> 0x0878469a 23:51:13.063318 SPI changed 0x0878469a -> 0x091b7ada ^C1154 packets captured 1597 packets received by filter 0 packets dropped by kernel on BOX2: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 23:53:43.594785 SPI changed uninitialized -> 0x01d66237 ^C2404 packets captured 9701 packets received by filter 0 packets dropped by kernel box and box2 are the local and end point respectively. /gabe