Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Apr 2018 19:16:38 +0300
From:      Victor Gamov <vit@otcnet.ru>
To:        freebsd-net@freebsd.org
Subject:   Re: multiple if_ipsec
Message-ID:  <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru>
In-Reply-To: <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru>
References:  <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 20/04/2018 19:42, Andrey V. Elsukov wrote:
> On 20.04.2018 18:48, Victor Gamov wrote:
>> More correct problem is:  last configured ipsec interface tx/rx traffic
>> only.  For my example:
>>
>> - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
>>
>> - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
>>
>> - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no
>> responses, but I see ESP traffic on external interface and (!!!)
>> ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25  (but no
>> ICMP-request on ipsec25 !!!)
>>
>> - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see
>> ICMP-request on ipsec25 but no ESP-traffic on external interface
> 
> This looks like you don't have outbound SA for ipsec25 interface.
> If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5,
> there should be output errors.
> 
> `setkey -D` should have SA:
> 
> IP-FreeBSD IP-Cisco-RTR-1
>      esp mode=tunnel spi=xxxx reqid=25
>      ......
>      ................. state=mature
> 
> Do you have it?

Yes, I have all SA -- two for every ipsec-interface.  And no errors at 
`netstat -w1 -I ipsec25` while ping 10.10.98.5, only output bytes 
counter show 84 bytes per sec (one for ICMP-request)

When I change ipsec-interfaces creation order then only last created 
interface worked fine again and previously configured interfaces does 
not work.


And very interesting fact: when I ping from remote 10.10.98.5 for 
example to FreeBSD 10.10.98.6 then no ICMP-request coming over 
ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but 
not delivered to 10.10.98.5)


Any ideas?

-- 
С уважением,
Гамов Виктор

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?77c37ff9-8de3-dec0-176a-2b34db136bc5>