On 20.04.2018 18:48, Victor Gamov wrote: > More correct problem is: last configured ipsec interface tx/rx traffic > only. For my example: > > - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK > > - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK > > - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no > responses, but I see ESP traffic on external interface and (!!!) > ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25 (but no > ICMP-request on ipsec25 !!!) > > - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see > ICMP-request on ipsec25 but no ESP-traffic on external interface
This looks like you don't have outbound SA for ipsec25 interface.
If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5
there should be output errors.
`setkey -D` should have SA:
IP-FreeBSD IP-Cisco-RTR-1
esp mode=tunnel spi=xxxx reqid=25
......
................. state=mature
Do you have it?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
