multiple if_ipsec
Victor Gamov
vit at otcnet.ru
Sat Apr 21 16:16:45 UTC 2018
On 20/04/2018 19:42, Andrey V. Elsukov wrote:
> On 20.04.2018 18:48, Victor Gamov wrote:
>> More correct problem is: last configured ipsec interface tx/rx traffic
>> only. For my example:
>>
>> - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
>>
>> - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
>>
>> - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no
>> responses, but I see ESP traffic on external interface and (!!!)
>> ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25 (but no
>> ICMP-request on ipsec25 !!!)
>>
>> - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see
>> ICMP-request on ipsec25 but no ESP-traffic on external interface
>
> This looks like you don't have outbound SA for ipsec25 interface.
> If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5,
> there should be output errors.
>
> `setkey -D` should have SA:
>
> IP-FreeBSD IP-Cisco-RTR-1
> esp mode=tunnel spi=xxxx reqid=25
> ......
> ................. state=mature
>
> Do you have it?
Yes, I have all SA -- two for every ipsec-interface. And no errors at
`netstat -w1 -I ipsec25` while ping 10.10.98.5, only output bytes
counter show 84 bytes per sec (one for ICMP-request)
When I change ipsec-interfaces creation order then only last created
interface worked fine again and previously configured interfaces does
not work.
And very interesting fact: when I ping from remote 10.10.98.5 for
example to FreeBSD 10.10.98.6 then no ICMP-request coming over
ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but
not delivered to 10.10.98.5)
Any ideas?
--
С уважением,
Гамов Виктор
More information about the freebsd-net
mailing list