From owner-freebsd-questions Mon Jan 27 9:31:19 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4062837B401 for ; Mon, 27 Jan 2003 09:31:17 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65F4E43EB2 for ; Mon, 27 Jan 2003 09:31:12 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id h0RHUud54981; Mon, 27 Jan 2003 12:30:59 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3E356C73.10401@northnetworks.ca> Date: Mon, 27 Jan 2003 12:29:23 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20021218 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Haight Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD IPSEC tunnel stoped working. References: <200301271225.h0RCPaLG001029@wartch.sapros.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Looks like the 'spi' are out of sync on the 2 machines. This is after a quick glance, but I know on my IPSec setup, (with manual keys), the spi's have to be such: Stable in spi == Release out spi Release in spi == Stable out spi Are you using racoon? If not, post your ipsec script. Steve Bertrand Peter Haight wrote: >I had a FreeBSD IPSEC tunnel set up between two machines that stopped >working when I upgraded one of the machines to a newer version of >4.7-STABLE. I'm not sure what the problem is. When I watch the packets on >the outside interfaces, I see the packet go out from one host, the older >(4.7-RELEASE) machine replies, but the new one never moves that reply packet >back across the tunnel. > >'netstat -sn -p ipsec' is reporting that packets are "violating process >security policy". I'm pretty sure that is the problem, but I'm not sure what >that means. > >Here's setkey -DP (4.7-STABLE): > >192.168.1.1/24[any] 10.10.1.1/24[any] any > in ipsec > esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require > spid=24 seq=1 pid=24319 > refcnt=1 >10.10.1.1/24[any] 192.168.1.1/24[any] any > out ipsec > esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require > spid=23 seq=0 pid=24319 > refcnt=1 > >setkey -DP (4.7-RELEASE): >10.10.1.1/24[any] 192.168.1.1/24[any] any > in ipsec > esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require > spid=4 seq=1 pid=8760 > refcnt=1 >192.168.1.1/24[any] 10.10.1.1/24[any] any > out ipsec > esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require > spid=3 seq=0 pid=8760 > refcnt=1 > > >netstat -sn -p ipsec (4.7-STABLE): >ipsec: > 1688 inbound packets processed successfully > 1682 inbound packets violated process security policy > 0 inbound packets with no SA available > 0 invalid inbound packets > 0 inbound packets failed due to insufficient memory > 0 inbound packets failed getting SPI > 0 inbound packets failed on AH replay check > 0 inbound packets failed on ESP replay check > 0 inbound packets considered authentic > 0 inbound packets failed on authentication > ESP input histogram: > blowfish-cbc: 1688 > 588 outbound packets processed successfully > 0 outbound packets violated process security policy > 11 outbound packets with no SA available > 0 invalid outbound packets > 0 outbound packets failed due to insufficient memory > 0 outbound packets with no route > ESP output histogram: > blowfish-cbc: 588 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message