From owner-freebsd-net@FreeBSD.ORG Mon Dec 29 12:55:10 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BD9F106564A for ; Mon, 29 Dec 2008 12:55:10 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 2D90F8FC1C for ; Mon, 29 Dec 2008 12:55:10 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 737C341C677; Mon, 29 Dec 2008 13:55:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id ic40+2ZwcC5m; Mon, 29 Dec 2008 13:55:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 1BB1C41C65E; Mon, 29 Dec 2008 13:55:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 7F07E4448D5; Mon, 29 Dec 2008 12:52:51 +0000 (UTC) Date: Mon, 29 Dec 2008 12:52:51 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Gabe In-Reply-To: <204586.11713.qm@web83809.mail.sp1.yahoo.com> Message-ID: <20081229124113.A28465@maildrop.int.zabbadoz.net> References: <204586.11713.qm@web83809.mail.sp1.yahoo.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2008 12:55:10 -0000 On Mon, 29 Dec 2008, Gabe wrote: > Anyone know what causes this error message? > > +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 from what I remember without looking, this means that you ahve an IPsec policy for src/dst but no SA matching this pair or rather no matching destination + protocol + security parameter index (see rfc2401). The easiest thing you can do is to check setkey -Da for this tripple the time the printf happens. The first thing in the printf is your destination IP (your local side), the next is the SPI in hex and last is the protocol (50 == ESP). With that you can see if what the peer sends you is what you negotiated/expected. Are you using static keying or an ike daemon like racoon? Do this happen for all packets or just randomly or exactly every n minutes/hours? If you find an exact match of the triplet in setkey -Da you may also want to check if there is another one and/or the state of the entry/entries (state=.. at the end of the fourth line). If it's not "mature" check the time ralted values to see if there is an expiry problem.. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.