Date: Fri, 03 Dec 2010 18:00:05 +0500 From: "Eugene M. Zheganin" <emz@norma.perm.ru> To: freebsd-net@freebsd.org Subject: Re: ah_input: packet replay failure Message-ID: <4CF8E9D5.3060105@norma.perm.ru> In-Reply-To: <20101202205442.C6126@maildrop.int.zabbadoz.net> References: <4CF76AD4.1010704@norma.perm.ru> <20101202205442.C6126@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. On 03.12.2010 01:58, Bjoern A. Zeeb wrote: >> >> FreeBSD A >======ipsec over gre===> FreeBSD B > I'm using FreeBSD as a security gateway: > > What it means is that a packet with either an invalid sequence, a > sequence lower than the last seen and outside the window, or a > sequence seen already (lately) has arrived. > > Could it be that something is duplicating packets or that you have > packet loss between A and B? Given that you say that you are running > IPsec on top of GRE (which sounds strange anyway) I'd monitor the > outer tunnel endpoints independently to see what's going on. Well, could you be more exact, please, about what did you mean by saying 'strange' ? Probably, my english isn't that good, I just tried to say that I use ipsec to encrypt my gre tunnels. Could this out-of-the-sequence thing be caused by traffic shaping, such as pf ALTQing ? I just realised that this is the only link I have which has the queueing enabled. Thanks. Eugene.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CF8E9D5.3060105>