On Fri, 3 Dec 2010, Eugene M. Zheganin wrote:
Hi.
On 03.12.2010 01:58, Bjoern A. Zeeb wrote:
FreeBSD A >======ipsec over gre===> FreeBSD B
I'm using FreeBSD as a security gateway:
What it means is that a packet with either an invalid sequence, a
sequence lower than the last seen and outside the window, or a
sequence seen already (lately) has arrived.
Could it be that something is duplicating packets or that you have
packet loss between A and B? Given that you say that you are running
IPsec on top of GRE (which sounds strange anyway) I'd monitor the
outer tunnel endpoints independently to see what's going on.
Well, could you be more exact, please, about what did you mean by saying
'strange' ?
Probably, my english isn't that good, I just tried to say that I use ipsec to
encrypt my gre tunnels.
If it is ipsec outer and gre inner encapsulation, that's fine. I was
worried that you'd do it the other way round for some reason. So it's
gre inside ipsec.
Could this out-of-the-sequence thing be caused by traffic shaping, such as pf
ALTQing ?
Yes. Very likely, especially if you have bursts of packets.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
