ah_input: packet replay failure
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Dec 4 10:45:08 UTC 2010
On Fri, 3 Dec 2010, Eugene M. Zheganin wrote:
> Hi.
>
> On 03.12.2010 01:58, Bjoern A. Zeeb wrote:
>>>
>>> FreeBSD A >======ipsec over gre===> FreeBSD B
>> I'm using FreeBSD as a security gateway:
>>
>> What it means is that a packet with either an invalid sequence, a
>> sequence lower than the last seen and outside the window, or a
>> sequence seen already (lately) has arrived.
>>
>> Could it be that something is duplicating packets or that you have
>> packet loss between A and B? Given that you say that you are running
>> IPsec on top of GRE (which sounds strange anyway) I'd monitor the
>> outer tunnel endpoints independently to see what's going on.
> Well, could you be more exact, please, about what did you mean by saying
> 'strange' ?
> Probably, my english isn't that good, I just tried to say that I use ipsec to
> encrypt my gre tunnels.
If it is ipsec outer and gre inner encapsulation, that's fine. I was
worried that you'd do it the other way round for some reason. So it's
gre inside ipsec.
> Could this out-of-the-sequence thing be caused by traffic shaping, such as pf
> ALTQing ?
Yes. Very likely, especially if you have bursts of packets.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
More information about the freebsd-net
mailing list