Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Dec 2008 13:19:16 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Gabe <nrml@att.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: +ipsec_common_input: no key association found for SA
Message-ID:  <20081229131719.K28465@maildrop.int.zabbadoz.net>
In-Reply-To: <20081229124113.A28465@maildrop.int.zabbadoz.net>
References:  <204586.11713.qm@web83809.mail.sp1.yahoo.com> <20081229124113.A28465@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote:

> On Mon, 29 Dec 2008, Gabe wrote:
>
>> Anyone know what causes this error message?
>> 
>> +ipsec_common_input: no key association found for SA 
>> 69.x.x.x[0]/04e317a1/50
>
> from what I remember without looking, this means that you ahve an
> IPsec policy for src/dst but no SA matching this pair or rather no
> matching destination + protocol + security parameter index (see rfc2401).
>
> The easiest thing you can do is to check
>  setkey -Da
> for this tripple the time the printf happens.
>
> The first thing in the printf is your destination IP (your local side),
> the next is the SPI in hex and last is the protocol (50 == ESP). With
> that you can see if what the peer sends you is what you negotiated/expected.
>
> Are you using static keying or an ike daemon like racoon?
> Do this happen for all packets or just randomly or exactly every n
> minutes/hours?
>
> If you find an exact match of the triplet in setkey -Da you may also
> want to check if there is another one and/or the state of the entry/entries
> (state=.. at the end of the fourth line).
> If it's not "mature" check the time ralted values to see if there is
> an expiry problem..

One more thing - you may want to flip the sysctl to
 	net.key.preferred_oldsa=0
and see if that makes a change. But beware - this is going to affect
all your peers, not just one, so if you have 99 working and 1 not
you'll most likely kill the other 99.

/bz

-- 
Bjoern A. Zeeb                      The greatest risk is not taking one.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229131719.K28465>