Date: Thu, 26 Jan 2006 11:51:36 -0800 From: Julian Elischer <julian@elischer.org> To: FreeBSD MailList <subscriber@osk.com.ua> Cc: freebsd-net@freebsd.org Subject: Re: Duplicate SAD entries lead to ESP tunnel malfunction Message-ID: <43D92848.2050005@elischer.org> In-Reply-To: <83462512.20060126181018@osk.com.ua> References: <83462512.20060126181018@osk.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Oleg Tarasov wrote: >Hello, > >I run FreeBSD 6.0 and installed latest ported version of ipsec-tools. > >A had to create two IPSEC tunnels to two different hosts. On one host >runs FreeBSD too, on another host is located hardware router DI-804HV >(D-Link). That router is supposed to support IPSEC tunnelling and >seems to work fine. > >When IPSEC tunnel is established two SAD entries are created - one per >direction. This is normal functioning. > >In my case sometimes there are two more created. Some connection >problem occurs causing both sides to reestablish tunnel. Both sides >report that tunnel is established successfully but no packets can pass >through tunnel. Dumping SAD entries using > setkey -D >shows that there are two SAD entries for both address pairs. > >How can this happen anyway? > >Flushing SAD entries helps tunnel to return its functionality - after >this tunnel is established successfully and works properly. > > There is a sysctl that can help this behaviour but I forget which something to do with ipsec and oldSAD or newSAD or something.. >========== > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43D92848.2050005>