FreeBSD ipsec tunnel mode packet lost
Zaidi, Abbas
Abbas_Zaidi at mentor.com
Thu Oct 1 08:00:39 UTC 2009
Thanks Yvan for the help
The problem got solved by changing the in security policy, on SGW, from
ipsec level require to use, but I'm still not clear what the real issue
was. Why we can't use require on it.
Thanks,
-----Original Message-----
From: VANHULLEBUS Yvan [mailto:vanhu at FreeBSD.org]
Sent: Wednesday, September 30, 2009 6:08 PM
To: Zaidi, Abbas
Cc: freebsd-net at freebsd.org; Ansari, Fakhir; Khan, Fayyaz
Subject: Re: FreeBSD ipsec tunnel mode packet lost
On Wed, Sep 30, 2009 at 01:16:47PM +0200, Zaidi, Abbas wrote:
> Hi
Hi.
> I am having this strange problem establishing tunnel between FreeBSD
and
> linux, my network setup is
[the setup]
> Once the SAs get negotiated I send a ping request from FreeBSDe to
> Linuxe. The packets get an ipsec header applied at FreeBSDr reaches
> Linuxe a reply to packet comes back at Link1::e interface of FreeBSDr
> and then packet gets lost.
>
> I am not using gif. Do I need it?
Probably not.
> I don't think any thing is wrong with ipsec as the seq of both in and
> out sa are incrementing on every echo request reply.
please check output of "netstat -s" (mainly sections esp, ipsec6,
ip6), and see if some counters increase for each dropped packet.
[...]
> There is one strange thing about security policies as of linux in case
> of tunnel there are 3 policies added (in, out, fwd) where as in
FreeBSD
> it only shows 2 (in, out).
This is specific to Linux's IPsec stack implementation, just forget
anything related to "fwd".....
Yvan.
More information about the freebsd-net
mailing list