On 20/04/2018 19:42, Andrey V. Elsukov wrote:
On 20.04.2018 18:48, Victor Gamov wrote:
More correct problem is: last configured ipsec interface tx/rx traffic
only. For my example:
- ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
- ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
- ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no
responses, but I see ESP traffic on external interface and (!!!)
ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25 (but no
ICMP-request on ipsec25 !!!)
- ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see
ICMP-request on ipsec25 but no ESP-traffic on external interface
This looks like you don't have outbound SA for ipsec25 interface.
If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5,
there should be output errors.
`setkey -D` should have SA:
IP-FreeBSD IP-Cisco-RTR-1
esp mode=tunnel spi=xxxx reqid=25
......
................. state=mature
Do you have it?
Yes, I have all SA -- two for every ipsec-interface. And no errors at
`netstat -w1 -I ipsec25` while ping 10.10.98.5, only output bytes
counter show 84 bytes per sec (one for ICMP-request)
When I change ipsec-interfaces creation order then only last created
interface worked fine again and previously configured interfaces does
not work.
And very interesting fact: when I ping from remote 10.10.98.5 for
example to FreeBSD 10.10.98.6 then no ICMP-request coming over
ipsec-interface but ICMP-reply outgoing via this ipsec-interface (but
not delivered to 10.10.98.5)
Any ideas?
--
С уважением,
Гамов Виктор
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
