+ipsec_common_input: no key association found for SA

[Gabe]

> From: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
> Subject: Re: +ipsec_common_input: no key association found for SA
> To: "Gabe" <nrml at att.net>
> Cc: freebsd-net at freebsd.org
> Date: Tuesday, December 30, 2008, 6:24 AM
> On Tue, 30 Dec 2008, Gabe wrote:
> 
> >> One more thing; if you are comparing SPIs from the
> log with setkey,
> >> you can also run
> >> tcpdump -s 0 -vv -ln proto 50
> >> and it will show you something like
> >>     ... ESP(spi=0x12345678,seq=0x..),
> >> so you could as well compare what you receive on
> the wire with what
> >> you get in the log. This would help to eliminiate
> the case of a
> >> promblematic patch.
> >
> > However I still get the ipsec_common message albeit
> not as often, it
> > appears to only be when I restart racoon now. I also
> tried matching the
> > SPIs but the SPIs given by setkey -Da did not match
> the ones on the log.
> 
> Ok, can you try running the following script and see if the
> output
> times match your racoon restarts or the log entries?
> 
> You need to set your interface and the tunnel endpoint IPs
> (as in box/box2).
> 
> /bz

I restarted racoon and cleared out the keys then I ran the script which returned:

on BOX:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:51:13.032336 SPI changed uninitialized -> 0x0878469a
23:51:13.063318 SPI changed 0x0878469a -> 0x091b7ada
^C1154 packets captured
1597 packets received by filter
0 packets dropped by kernel

on BOX2:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:53:43.594785 SPI changed uninitialized -> 0x01d66237
^C2404 packets captured
9701 packets received by filter
0 packets dropped by kernel

box and box2 are the local and end point respectively.

/gabe