I am preparing a bug report but just wanted to flag an issue that I discovered after a 6.3 to 6.4 uplift of an iked(8) endpoint.
We overlay vxlan(4) on top of iked(8) to provide seamless connectivity to site offices. I have uplifted our test endpoint to 6.4 and discovered that traffic had tanked, basically 99% of packets were being dropped. Investigations showed it isn't an iked(8) issue as the P-t-P traffic is moving as expected and not throwing the error. As soon as you send traffic over the unicast vxlan tunnel, that is when you see the error. Here is a capture from enc0 on the endpoint: 09:14:42.281342 (authentic,confidential): SPI 0xa093378e: ipcomp 192.168.1.1 > 192.168.1.2 cpi 0x0BCE flags 0 next 4 09:14:42.281396 (authentic,confidential): SPI 0x00000bce: 192.168.1.1.4789 > 192.168.1.2.4789: vxlan 35: 10.1.1.1 > 10.1.1.2: icmp: echo request [tos 0x10] (encap) 09:14:42.281430 (unprotected): SPI 0x00001a63: 192.168.1.2.4789 > 192.168.1.1.4789: vxlan 35: 10.1.1.2 > 10.1.1.1: icmp: echo reply [tos 0x10] (encap) 09:14:42.281631 (authentic,confidential): SPI 0x03096f78: bad-ip-version 7 (encap) Any configuration advice would be appreciated if it isn't a bug. FYI the main termination device is still 6.3#10 Cheers. Jason.
