Duplicate SAD entries lead to ESP tunnel malfunction
Julian Elischer
julian at elischer.org
Thu Jan 26 11:51:37 PST 2006
Oleg Tarasov wrote:
>Hello,
>
>I run FreeBSD 6.0 and installed latest ported version of ipsec-tools.
>
>A had to create two IPSEC tunnels to two different hosts. On one host
>runs FreeBSD too, on another host is located hardware router DI-804HV
>(D-Link). That router is supposed to support IPSEC tunnelling and
>seems to work fine.
>
>When IPSEC tunnel is established two SAD entries are created - one per
>direction. This is normal functioning.
>
>In my case sometimes there are two more created. Some connection
>problem occurs causing both sides to reestablish tunnel. Both sides
>report that tunnel is established successfully but no packets can pass
>through tunnel. Dumping SAD entries using
> setkey -D
>shows that there are two SAD entries for both address pairs.
>
>How can this happen anyway?
>
>Flushing SAD entries helps tunnel to return its functionality - after
>this tunnel is established successfully and works properly.
>
>
There is a sysctl that can help this behaviour but I forget which
something to do with ipsec and oldSAD or newSAD or something..
>==========
>
>
>
More information about the freebsd-net
mailing list