Date: Mon, 27 Jan 2003 12:29:23 -0500 From: Steve Bertrand <iaccounts@northnetworks.ca> To: Peter Haight <peterh@sapros.com> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD IPSEC tunnel stoped working. Message-ID: <3E356C73.10401@northnetworks.ca> References: <200301271225.h0RCPaLG001029@wartch.sapros.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Looks like the 'spi' are out of sync on the 2 machines. This is after a quick glance, but I know on my IPSec setup, (with manual keys), the spi's have to be such: Stable in spi == Release out spi Release in spi == Stable out spi Are you using racoon? If not, post your ipsec script. Steve Bertrand Peter Haight wrote: >I had a FreeBSD IPSEC tunnel set up between two machines that stopped >working when I upgraded one of the machines to a newer version of >4.7-STABLE. I'm not sure what the problem is. When I watch the packets on >the outside interfaces, I see the packet go out from one host, the older >(4.7-RELEASE) machine replies, but the new one never moves that reply packet >back across the tunnel. > >'netstat -sn -p ipsec' is reporting that packets are "violating process >security policy". I'm pretty sure that is the problem, but I'm not sure what >that means. > >Here's setkey -DP (4.7-STABLE): > >192.168.1.1/24[any] 10.10.1.1/24[any] any > in ipsec > esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require > spid=24 seq=1 pid=24319 > refcnt=1 >10.10.1.1/24[any] 192.168.1.1/24[any] any > out ipsec > esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require > spid=23 seq=0 pid=24319 > refcnt=1 > >setkey -DP (4.7-RELEASE): >10.10.1.1/24[any] 192.168.1.1/24[any] any > in ipsec > esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require > spid=4 seq=1 pid=8760 > refcnt=1 >192.168.1.1/24[any] 10.10.1.1/24[any] any > out ipsec > esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require > spid=3 seq=0 pid=8760 > refcnt=1 > > >netstat -sn -p ipsec (4.7-STABLE): >ipsec: > 1688 inbound packets processed successfully > 1682 inbound packets violated process security policy > 0 inbound packets with no SA available > 0 invalid inbound packets > 0 inbound packets failed due to insufficient memory > 0 inbound packets failed getting SPI > 0 inbound packets failed on AH replay check > 0 inbound packets failed on ESP replay check > 0 inbound packets considered authentic > 0 inbound packets failed on authentication > ESP input histogram: > blowfish-cbc: 1688 > 588 outbound packets processed successfully > 0 outbound packets violated process security policy > 11 outbound packets with no SA available > 0 invalid outbound packets > 0 outbound packets failed due to insufficient memory > 0 outbound packets with no route > ESP output histogram: > blowfish-cbc: 588 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E356C73.10401>