Re: Duplicate SAD entries lead to ESP tunnel malfunction

---

• From: Julian Elischer <julian@xxxxxxxxxxxx>
• Date: Thu, 26 Jan 2006 11:51:36 -0800

---

Oleg Tarasov wrote:

Hello,

I run FreeBSD 6.0 and installed latest ported version of ipsec-tools.

A had to create two IPSEC tunnels to two different hosts. On one host
runs FreeBSD too, on another host is located hardware router DI-804HV
(D-Link). That router is supposed to support IPSEC tunnelling and
seems to work fine.

When IPSEC tunnel is established two SAD entries are created - one per
direction. This is normal functioning.

In my case sometimes there are two more created. Some connection
problem occurs causing both sides to reestablish tunnel. Both sides
report that tunnel is established successfully but no packets can pass
through tunnel. Dumping SAD entries using
setkey -D
shows that there are two SAD entries for both address pairs.

How can this happen anyway?

Flushing SAD entries helps tunnel to return its functionality - after
this tunnel is established successfully and works properly.

There is a sysctl that can help this behaviour but I forget which

something to do with ipsec and oldSAD or newSAD or something..

==========

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: Duplicate SAD entries lead to ESP tunnel malfunction
    • From: VANHULLEBUS Yvan

• References:
  • Duplicate SAD entries lead to ESP tunnel malfunction
    • From: Oleg Tarasov

• Prev by Date: Duplicate SAD entries lead to ESP tunnel malfunction
• Next by Date: Re: VPN when host is not gateway
• Previous by thread: Duplicate SAD entries lead to ESP tunnel malfunction
• Next by thread: Re: Duplicate SAD entries lead to ESP tunnel malfunction
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Linux FreeS/WAN road warrior problem ... Net A to Host B ... service/port on the VPN gateway if I got a tunnel up to it. ... If you want to hit Host B (linux2) I would bet if you set up a tunnel host ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... (Security-Basics) VPN Not able to pass traffic. ... I am configuring a VPN site 2 site tunnel. ... isakmp policy 5 authentication pre-share ... access-list to-phillips permit ip host local host ip remote host ip ... (comp.dcom.sys.cisco) Re: can internet gateway be on opposite side of a tunnel? ... >> Can a machine use a host on the opposite side of an ipip tunnel as its ... >> I have 2 LANs, a gateway in each, and an ipip tunnel between the ... A host in either LAN designates its local tunnel endpoint as ... (comp.os.linux.networking) Re: Pix 501 Tunnelling problem ... The tunnel allows traffic from the whole 1.1.2.0/24 net of site X ... When the mail server at site X looks up the mx record of site Y it ... access-list no-nat deny ip host 10.0.0.2 host 1.1.2.2 ... access-list no-nat deny tcp host 10.0.0.2 host 1.1.2.2 eq smtp ... (comp.dcom.sys.cisco) Re: bind() fd 6, family 28, port 123 at boot time ... no route to host" error myself, ... external interface was a Netgraph tunnel interface ports/net/mpd ... mpd startup script that would restart ntpd whenever ng0 was recreated. ... being synced by running ntpdc at the command line, ... (freebsd-stable)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > net  > 2006-01