----- Original Message ---- > From: Bjoern A. Zeeb <bzeeb-li...@lists.zabbadoz.net> > To: Gabe <n...@att.net> > Cc: freebsd-net@freebsd.org > Sent: Monday, December 29, 2008 2:25:32 PM > Subject: Re: +ipsec_common_input: no key association found for SA > > On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > > > On Mon, 29 Dec 2008, Gabe wrote: > > > >> This is what setkey -Da returns: > >> box# setkey -Da > >> Invalid extension type > >> Invalid extension type > >> box# > > > > you are running with the NAT-T patch (as I see you say further down). > > Try /usr/local/sbin/setkey -Da in that case. > > > One more thing; if you are comparing SPIs from the log with setkey, > you can also run > tcpdump -s 0 -vv -ln proto 50 > and it will show you something like > ... ESP(spi=0x12345678,seq=0x..), > so you could as well compare what you receive on the wire with what > you get in the log. This would help to eliminiate the case of a > promblematic patch. > > /bz > > -- > Bjoern A. Zeeb The greatest risk is not taking one.
Thanks for the help on this. As far as the box-box2 mistake it was no typo. This is what I've changed it to: local server: flush; spdflush; spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec esp/tunnel/box-box2/unique; spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/box2-box/unique; and on the remote server: flush; spdflush; spdadd 192.168.20.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/box2-box/unique; spdadd 192.168.10.0/24 192.168.20.0/24 any -P in ipsec esp/tunnel/box-box2/unique; However I still get the ipsec_common message albeit not as often, it appears to only be when I restart racoon now. I also tried matching the SPIs but the SPIs given by setkey -Da did not match the ones on the log. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
