Date: Fri, 20 Apr 2018 18:48:24 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> In-Reply-To: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20/04/2018 13:04, Andrey V. Elsukov wrote: > On 20.04.2018 11:17, Victor Gamov wrote: >> All local SA configured and established and remote side (Cisco routers) >> report SA established too. >> >> But traffic goes via only one ipsec-interface. > > If you have all SAs established, you probably need to check your routing > configuration. Or at least test that addresses configured on the ipsecXX > interfaces are reachable. More correct problem is: last configured ipsec interface tx/rx traffic only. For my example: - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no responses, but I see ESP traffic on external interface and (!!!) ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25 (but no ICMP-request on ipsec25 !!!) - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see ICMP-request on ipsec25 but no ESP-traffic on external interface Any suggestion? -- С уважением, Гамов Виктор
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30d1c5f9-56e7-c67b-43e1-e6f0457360a8>