Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Jan 2003 04:25:36 -0800
From:      Peter Haight <peterh@sapros.com>
To:        freebsd-questions@freebsd.org
Subject:   FreeBSD IPSEC tunnel stoped working.
Message-ID:  <200301271225.h0RCPaLG001029@wartch.sapros.com>
next in thread | raw e-mail | index | archive | help 

I had a FreeBSD IPSEC tunnel set up between two machines that stopped
working when I upgraded one of the machines to a newer version of
4.7-STABLE. I'm not sure what the problem is. When I watch the packets on
the outside interfaces, I see the packet go out from one host, the older
(4.7-RELEASE) machine replies, but the new one never moves that reply packet
back across the tunnel.

'netstat -sn -p ipsec'  is reporting that packets are "violating process
security policy". I'm pretty sure that is the problem, but I'm not sure what
that means.

Here's setkey -DP (4.7-STABLE):

192.168.1.1/24[any] 10.10.1.1/24[any] any
        in ipsec
        esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
        spid=24 seq=1 pid=24319
        refcnt=1
10.10.1.1/24[any] 192.168.1.1/24[any] any
        out ipsec
        esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
        spid=23 seq=0 pid=24319
        refcnt=1

setkey -DP (4.7-RELEASE):
10.10.1.1/24[any] 192.168.1.1/24[any] any
        in ipsec
        esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
        spid=4 seq=1 pid=8760
        refcnt=1
192.168.1.1/24[any] 10.10.1.1/24[any] any
        out ipsec
        esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
        spid=3 seq=0 pid=8760
        refcnt=1


netstat -sn -p ipsec (4.7-STABLE):
ipsec:
        1688 inbound packets processed successfully
        1682 inbound packets violated process security policy
        0 inbound packets with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        ESP input histogram:
                blowfish-cbc: 1688
        588 outbound packets processed successfully
        0 outbound packets violated process security policy
        11 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                blowfish-cbc: 588

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301271225.h0RCPaLG001029>