From owner-freebsd-net@FreeBSD.ORG Fri Dec 3 13:00:21 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE6C110656A4 for ; Fri, 3 Dec 2010 13:00:21 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norman-vivat.ru [89.250.210.68]) by mx1.freebsd.org (Postfix) with ESMTP id 1EB6B8FC0A for ; Fri, 3 Dec 2010 13:00:11 +0000 (UTC) Received: from bsdrookie.norma.com. (bsdrookie.hq.norma.perm.ru [192.168.7.246]) by elf.hq.norma.perm.ru (8.14.3/8.14.3) with ESMTP id oB3D05CQ039592 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 3 Dec 2010 18:00:05 +0500 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4CF8E9D5.3060105@norma.perm.ru> Date: Fri, 03 Dec 2010 18:00:05 +0500 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100917 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4CF76AD4.1010704@norma.perm.ru> <20101202205442.C6126@maildrop.int.zabbadoz.net> In-Reply-To: <20101202205442.C6126@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (elf.hq.norma.perm.ru [192.168.3.10]); Fri, 03 Dec 2010 18:00:05 +0500 (YEKT) X-Callback: Sender verified by milter-callback 1.5.10 at elf.hq.norma.perm.ru. X-Callback-Status: relay [192.168.7.246] found in white list. X-Callback-Envelope-From: emz@norma.perm.ru X-Spam-Status: No hits=-102.9 bayes=0.0000 testhits ALL_TRUSTED=-1, BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on elf.hq.norma.perm.ru Subject: Re: ah_input: packet replay failure X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2010 13:00:22 -0000 Hi. On 03.12.2010 01:58, Bjoern A. Zeeb wrote: >> >> FreeBSD A >======ipsec over gre===> FreeBSD B > I'm using FreeBSD as a security gateway: > > What it means is that a packet with either an invalid sequence, a > sequence lower than the last seen and outside the window, or a > sequence seen already (lately) has arrived. > > Could it be that something is duplicating packets or that you have > packet loss between A and B? Given that you say that you are running > IPsec on top of GRE (which sounds strange anyway) I'd monitor the > outer tunnel endpoints independently to see what's going on. Well, could you be more exact, please, about what did you mean by saying 'strange' ? Probably, my english isn't that good, I just tried to say that I use ipsec to encrypt my gre tunnels. Could this out-of-the-sequence thing be caused by traffic shaping, such as pf ALTQing ? I just realised that this is the only link I have which has the queueing enabled. Thanks. Eugene.