Re: +ipsec_common_input: no key association found for SA

> From: Gabe > Subject: Re: +ipsec_common_input: no key association found for SA > To: "Bjoern A. Zeeb" > Cc: freebsd-net@freebsd.org > Date: Sunday, January 4, 2009, 4:11 AM > > From: Bjoern A. Zeeb > > > Subject: Re: +ipsec_common_input: no key

Re: +ipsec_common_input: no key association found for SA

> From: Bjoern A. Zeeb > Subject: Re: +ipsec_common_input: no key association found for SA > To: "Gabe" > Cc: freebsd-net@freebsd.org > Date: Sunday, January 4, 2009, 3:24 AM > On Sun, 4 Jan 2009, Gabe wrote: > > Hi, > > >>> Ok, can you try r

Re: +ipsec_common_input: no key association found for SA

On Sun, 4 Jan 2009, Gabe wrote: Hi, Ok, can you try running the following script and see if the output times match your racoon restarts or the log entries? You hadn't answered that question to correlate the tcpdump with racoon restarts and kernel log entries. If you do that, you may want t

Re: +ipsec_common_input: no key association found for SA

> From: Gabe > Subject: Re: +ipsec_common_input: no key association found for SA > To: "Bjoern A. Zeeb" > Cc: freebsd-net@freebsd.org > Date: Tuesday, December 30, 2008, 11:56 PM > > From: Bjoern A. Zeeb > > > Subject: Re: +ipsec_common_input: no key

Re: +ipsec_common_input: no key association found for SA

> From: Bjoern A. Zeeb > Subject: Re: +ipsec_common_input: no key association found for SA > To: "Gabe" > Cc: freebsd-net@freebsd.org > Date: Tuesday, December 30, 2008, 6:24 AM > On Tue, 30 Dec 2008, Gabe wrote: > > >> One more thing; if you are c

Re: +ipsec_common_input: no key association found for SA

Gabe wrote: > > However I still get the ipsec_common message albeit not as often, it > appears to only be when I restart racoon now. I also tried matching > the SPIs but the SPIs given by setkey -Da did not match the ones on > the log. That is exactly what the kernel is trying to tell you. The

Re: +ipsec_common_input: no key association found for SA

On Tue, 30 Dec 2008, Gabe wrote: One more thing; if you are comparing SPIs from the log with setkey, you can also run tcpdump -s 0 -vv -ln proto 50 and it will show you something like ... ESP(spi=0x12345678,seq=0x..), so you could as well compare what you receive on the wire with what you ge

Re: +ipsec_common_input: no key association found for SA

- Original Message > From: Bjoern A. Zeeb > To: Gabe > Cc: freebsd-net@freebsd.org > Sent: Monday, December 29, 2008 2:25:32 PM > Subject: Re: +ipsec_common_input: no key association found for SA > > On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > > > O

Re: +ipsec_common_input: no key association found for SA

On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: On Mon, 29 Dec 2008, Gabe wrote: This is what setkey -Da returns: box# setkey -Da Invalid extension type Invalid extension type box# you are running with the NAT-T patch (as I see you say further down). Try /usr/local/sbin/setkey -Da in that case.

Re: +ipsec_common_input: no key association found for SA

On Mon, 29 Dec 2008, Gabe wrote: I guess more importantly would be the ipsec configuration: spdadd 192.168.10.0/24 192.168.10.165/32 any -P in none; spdadd 192.168.10.165/32 192.168.10.0/24 any -P out none; spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec esp/tunnel/box-box2/unique; sp

Re: +ipsec_common_input: no key association found for SA

On Mon, 29 Dec 2008, Gabe wrote: This is what setkey -Da returns: box# setkey -Da Invalid extension type Invalid extension type box# you are running with the NAT-T patch (as I see you say further down). Try /usr/local/sbin/setkey -Da in that case. -- Bjoern A. Zeeb The g

Re: +ipsec_common_input: no key association found for SA

Gabe wrote: > > spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec > esp/tunnel/box-box2/unique; > spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec > esp/tunnel/box-box2/unique; One or the other of these should have "box2-box" in place of "box-box2". Though this may just be an infor

Re: +ipsec_common_input: no key association found for SA

> To: Bjoern A. Zeeb > Cc: freebsd-net@freebsd.org > Sent: Monday, December 29, 2008 6:18:36 AM > Subject: Re: +ipsec_common_input: no key association found for SA > > > From: Bjoern A. Zeeb > > To: Gabe > > Cc: freebsd-net@freebsd.org > > Sent: Monday, D

Re: +ipsec_common_input: no key association found for SA

> From: Bjoern A. Zeeb > To: Gabe > Cc: freebsd-net@freebsd.org > Sent: Monday, December 29, 2008 5:19:16 AM > Subject: Re: +ipsec_common_input: no key association found for SA > > On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > > > On Mon, 29 Dec 2008, Gabe wr

Re: +ipsec_common_input: no key association found for SA

On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: On Mon, 29 Dec 2008, Gabe wrote: Anyone know what causes this error message? +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 from what I remember without looking, this means that you ahve an IPsec policy for src/dst

Re: +ipsec_common_input: no key association found for SA

On Mon, 29 Dec 2008, Gabe wrote: Anyone know what causes this error message? +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 from what I remember without looking, this means that you ahve an IPsec policy for src/dst but no SA matching this pair or rather no

+ipsec_common_input: no key association found for SA

Anyone know what causes this error message? +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50 +ipsec_common_input