Stable in spi == Release out spi
Release in spi == Stable out spi
Are you using racoon? If not, post your ipsec script.
Steve Bertrand
Peter Haight wrote:
I had a FreeBSD IPSEC tunnel set up between two machines that stopped
working when I upgraded one of the machines to a newer version of
4.7-STABLE. I'm not sure what the problem is. When I watch the packets on
the outside interfaces, I see the packet go out from one host, the older
(4.7-RELEASE) machine replies, but the new one never moves that reply packet
back across the tunnel.
'netstat -sn -p ipsec' is reporting that packets are "violating process
security policy". I'm pretty sure that is the problem, but I'm not sure what
that means.
Here's setkey -DP (4.7-STABLE):
192.168.1.1/24[any] 10.10.1.1/24[any] any
in ipsec
esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
spid=24 seq=1 pid=24319
refcnt=1
10.10.1.1/24[any] 192.168.1.1/24[any] any
out ipsec
esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
spid=23 seq=0 pid=24319
refcnt=1
setkey -DP (4.7-RELEASE):
10.10.1.1/24[any] 192.168.1.1/24[any] any
in ipsec
esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
spid=4 seq=1 pid=8760
refcnt=1
192.168.1.1/24[any] 10.10.1.1/24[any] any
out ipsec
esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
spid=3 seq=0 pid=8760
refcnt=1
netstat -sn -p ipsec (4.7-STABLE):
ipsec:
1688 inbound packets processed successfully
1682 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
blowfish-cbc: 1688
588 outbound packets processed successfully
0 outbound packets violated process security policy
11 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
blowfish-cbc: 588
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message