Date: Mon, 29 Dec 2008 12:52:51 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Gabe <nrml@att.net> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA Message-ID: <20081229124113.A28465@maildrop.int.zabbadoz.net> In-Reply-To: <204586.11713.qm@web83809.mail.sp1.yahoo.com> References: <204586.11713.qm@web83809.mail.sp1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Dec 2008, Gabe wrote: > Anyone know what causes this error message? > > +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 from what I remember without looking, this means that you ahve an IPsec policy for src/dst but no SA matching this pair or rather no matching destination + protocol + security parameter index (see rfc2401). The easiest thing you can do is to check setkey -Da for this tripple the time the printf happens. The first thing in the printf is your destination IP (your local side), the next is the SPI in hex and last is the protocol (50 == ESP). With that you can see if what the peer sends you is what you negotiated/expected. Are you using static keying or an ike daemon like racoon? Do this happen for all packets or just randomly or exactly every n minutes/hours? If you find an exact match of the triplet in setkey -Da you may also want to check if there is another one and/or the state of the entry/entries (state=.. at the end of the fourth line). If it's not "mature" check the time ralted values to see if there is an expiry problem.. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229124113.A28465>