Date: Sat, 4 Dec 2010 10:41:57 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Eugene M. Zheganin" <emz@norma.perm.ru> Cc: freebsd-net@freebsd.org Subject: Re: ah_input: packet replay failure Message-ID: <20101204103845.P6126@maildrop.int.zabbadoz.net> In-Reply-To: <4CF8E9D5.3060105@norma.perm.ru> References: <4CF76AD4.1010704@norma.perm.ru> <20101202205442.C6126@maildrop.int.zabbadoz.net> <4CF8E9D5.3060105@norma.perm.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Dec 2010, Eugene M. Zheganin wrote:
> Hi.
>
> On 03.12.2010 01:58, Bjoern A. Zeeb wrote:
>>>
>>> FreeBSD A >======ipsec over gre===> FreeBSD B
>> I'm using FreeBSD as a security gateway:
>>
>> What it means is that a packet with either an invalid sequence, a
>> sequence lower than the last seen and outside the window, or a
>> sequence seen already (lately) has arrived.
>>
>> Could it be that something is duplicating packets or that you have
>> packet loss between A and B? Given that you say that you are running
>> IPsec on top of GRE (which sounds strange anyway) I'd monitor the
>> outer tunnel endpoints independently to see what's going on.
> Well, could you be more exact, please, about what did you mean by saying
> 'strange' ?
> Probably, my english isn't that good, I just tried to say that I use ipsec to
> encrypt my gre tunnels.
If it is ipsec outer and gre inner encapsulation, that's fine. I was
worried that you'd do it the other way round for some reason. So it's
gre inside ipsec.
> Could this out-of-the-sequence thing be caused by traffic shaping, such as pf
> ALTQing ?
Yes. Very likely, especially if you have bursts of packets.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101204103845.P6126>