multiple if_ipsec
Andrey V. Elsukov
bu7cher at yandex.ru
Fri Apr 20 16:45:33 UTC 2018
On 20.04.2018 18:48, Victor Gamov wrote:
> More correct problem is: last configured ipsec interface tx/rx traffic
> only. For my example:
>
> - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
>
> - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
>
> - ping from 10.10.98.5 (Cisco) to 10.10.98.6 via ipsec25 -- no
> responses, but I see ESP traffic on external interface and (!!!)
> ICMP-reply from 10.10.98.5 to 10.10.98.6 on ipsec25 (but no
> ICMP-request on ipsec25 !!!)
>
> - ping from 10.10.98.6 to 10.10.98.5 via ipsec25 -- no responses, I see
> ICMP-request on ipsec25 but no ESP-traffic on external interface
This looks like you don't have outbound SA for ipsec25 interface.
If you run `netstat -w1 -I ipsec25` and ping 10.10.98.5
there should be output errors.
`setkey -D` should have SA:
IP-FreeBSD IP-Cisco-RTR-1
esp mode=tunnel spi=xxxx reqid=25
......
................. state=mature
Do you have it?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180420/2121deba/attachment.sig>
More information about the freebsd-net
mailing list