From owner-freebsd-net@freebsd.org  Fri Apr 20 15:48:30 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1E7DFADC8C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 20 Apr 2018 15:48:30 +0000 (UTC) (envelope-from vit@otcnet.ru)
Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4230374674
 for <freebsd-net@freebsd.org>; Fri, 20 Apr 2018 15:48:27 +0000 (UTC)
 (envelope-from vit@otcnet.ru)
Received: from Victors-MacBook-Air-2.local (unknown [213.33.226.214])
 by mail.otcnet.ru (Postfix) with ESMTPSA id 2A7AE5965C9
 for <freebsd-net@freebsd.org>; Fri, 20 Apr 2018 18:48:25 +0300 (MSK)
Subject: Re: multiple if_ipsec
To: freebsd-net@freebsd.org
References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru>
 <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru>
From: Victor Gamov <vit@otcnet.ru>
Organization: OTCnet
Message-ID: <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru>
Date: Fri, 20 Apr 2018 18:48:24 +0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:52.0)
 Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 15:48:30 -0000

On 20/04/2018 13:04, Andrey V. Elsukov wrote:
> On 20.04.2018 11:17, Victor Gamov wrote:
>> All local SA configured and established and remote side (Cisco routers)
>> report SA established too.
>>
>> But traffic goes via only one ipsec-interface.
> 
> If you have all SAs established, you probably need to check your routing
> configuration. Or at least test that addresses configured on the ipsecXX
> interfaces are reachable.

More correct problem is:  last configured ipsec interface tx/rx traffic 
only.  For my example:

- ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK

- ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK

- ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no 
responses, but I see ESP traffic on external interface and (!!!) 
ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25  (but no 
ICMP-request on ipsec25 !!!)

- ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see 
ICMP-request on ipsec25 but no ESP-traffic on external interface


Any suggestion?

-- 
С уважением,
Гамов Виктор