+ipsec_common_input: no key association found for SA
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Dec 29 22:30:07 UTC 2008
On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote:
> On Mon, 29 Dec 2008, Gabe wrote:
>
>> This is what setkey -Da returns:
>> box# setkey -Da
>> Invalid extension type
>> Invalid extension type
>> box#
>
> you are running with the NAT-T patch (as I see you say further down).
> Try /usr/local/sbin/setkey -Da in that case.
One more thing; if you are comparing SPIs from the log with setkey,
you can also run
tcpdump -s 0 -vv -ln proto 50
and it will show you something like
... ESP(spi=0x12345678,seq=0x..),
so you could as well compare what you receive on the wire with what
you get in the log. This would help to eliminiate the case of a
promblematic patch.
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
More information about the freebsd-net
mailing list