From owner-freebsd-net@freebsd.org Sat Apr 21 16:16:45 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A469FB030D for ; Sat, 21 Apr 2018 16:16:45 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 149BA72F8A for ; Sat, 21 Apr 2018 16:16:43 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145]) by mail.otcnet.ru (Postfix) with ESMTPSA id D7A6A59659C for ; Sat, 21 Apr 2018 19:16:35 +0300 (MSK) Subject: Re: multiple if_ipsec To: freebsd-net@freebsd.org References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> From: Victor Gamov Organization: OTCnet Message-ID: <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> Date: Sat, 21 Apr 2018 19:16:38 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Apr 2018 16:16:45 -0000 On 20/04/2018 19:42, Andrey V. Elsukov wrote: > On 20.04.2018 18:48, Victor Gamov wrote: >> More correct problem is:  last configured ipsec interface tx/rx traffic >> only.  For my example: >> >> - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK >> >> - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK >> >> - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no >> responses, but I see ESP traffic on external interface and (!!!) >> ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25  (but no >> ICMP-request on ipsec25 !!!) >> >> - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see >> ICMP-request on ipsec25 but no ESP-traffic on external interface > > This looks like you don't have outbound SA for ipsec25 interface. > If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5, > there should be output errors. > > `setkey -D` should have SA: > > IP-FreeBSD IP-Cisco-RTR-1 > esp mode=tunnel spi=xxxx reqid=25 > ...... > ................. state=mature > > Do you have it? Yes, I have all SA -- two for every ipsec-interface. And no errors at `netstat -w1 -I ipsec25` while ping 10.10.98.5, only output bytes counter show 84 bytes per sec (one for ICMP-request) When I change ipsec-interfaces creation order then only last created interface worked fine again and previously configured interfaces does not work. And very interesting fact: when I ping from remote 10.10.98.5 for example to FreeBSD 10.10.98.6 then no ICMP-request coming over ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but not delivered to 10.10.98.5) Any ideas? -- С уважением, Гамов Виктор