ipsec routing issue

Aristedes Maniatis ari at ish.com.au
Tue Dec 30 05:50:38 UTC 2014 

On 30/12/2014 11:09am, Dewayne Geraghty wrote:
> # These remain the same on the two end-points
> add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc
> "from_here_to_there12345 *";
> add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc
> "from_there_to_here 12345&";

I've never done anything like this, just spdadd lines... none of the docs I've found say to do this. I understand that this adds entries to the Security Association Database, which sounds like a union for security people.

When I look at the result of "setkey -D" I get 12 entries, so it seems that something is there already. Looks like I get a set of three entries for each tunnel, for each direction.

202.161.111.54 202.127.223.110
	ipcomp mode=tunnel spi=32898(0x00008082) reqid=16394(0x0000400a)
	C: deflate 	seq=0x00000000 replay=0 flags=0x00000080 state=mature
	created: Dec 30 15:33:39 2014	current: Dec 30 16:26:14 2014
	diff: 3155(s)	hard: 14400(s)	soft: 11120(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=2 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
	ipcomp mode=tunnel spi=49151(0x0000bfff) reqid=16394(0x0000400a)
	C: deflate 	seq=0x00000000 replay=0 flags=0x00000080 state=mature
	created: Dec 30 15:33:29 2014	current: Dec 30 16:26:14 2014
	diff: 3165(s)	hard: 14400(s)	soft: 11120(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
	esp mode=tunnel spi=229368149(0x0dabe155) reqid=0(0x00000000)
	E: blowfish-cbc  0c9e4d52 f7550f65 f5000990 5597db6e
	A: hmac-sha1  dd05d1b2 78f43bcb 56bc7d5d 60c7c9bc 918f2c2a
	seq=0x00001483 replay=4 flags=0x00000000 state=mature
	created: Dec 30 15:33:29 2014	current: Dec 30 16:26:14 2014
	diff: 3165(s)	hard: 14400(s)	soft: 11120(s)
	last: Dec 30 16:26:14 2014	hard: 0(s)	soft: 0(s)
	current: 421280(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 5251	hard: 0	soft: 0
	sadb_seq=0 pid=38134 refcnt=1

Am I expecting to see "C: deflate" in here twice?



(again, like the other emails, I've changed a a few IP addresses to obfuscate the real servers, but I changed them the same way as in the other email).


Thanks for your help

Ari


-- 
-------------------------->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

More information about the freebsd-stable mailing list