ipsec routing issue
Aristedes Maniatis
ari at ish.com.au
Tue Dec 30 05:50:38 UTC 2014
On 30/12/2014 11:09am, Dewayne Geraghty wrote:
> # These remain the same on the two end-points
> add 110.92.114.99 101.48.55.78 esp 25131 -E rijndael-cbc
> "from_here_to_there12345 *";
> add 101.48.55.78 110.92.114.99 esp 25136 -E rijndael-cbc
> "from_there_to_here 12345&";
I've never done anything like this, just spdadd lines... none of the docs I've found say to do this. I understand that this adds entries to the Security Association Database, which sounds like a union for security people.
When I look at the result of "setkey -D" I get 12 entries, so it seems that something is there already. Looks like I get a set of three entries for each tunnel, for each direction.
202.161.111.54 202.127.223.110
ipcomp mode=tunnel spi=32898(0x00008082) reqid=16394(0x0000400a)
C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature
created: Dec 30 15:33:39 2014 current: Dec 30 16:26:14 2014
diff: 3155(s) hard: 14400(s) soft: 11120(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
ipcomp mode=tunnel spi=49151(0x0000bfff) reqid=16394(0x0000400a)
C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature
created: Dec 30 15:33:29 2014 current: Dec 30 16:26:14 2014
diff: 3165(s) hard: 14400(s) soft: 11120(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=38134 refcnt=1
202.161.111.54 202.127.223.110
esp mode=tunnel spi=229368149(0x0dabe155) reqid=0(0x00000000)
E: blowfish-cbc 0c9e4d52 f7550f65 f5000990 5597db6e
A: hmac-sha1 dd05d1b2 78f43bcb 56bc7d5d 60c7c9bc 918f2c2a
seq=0x00001483 replay=4 flags=0x00000000 state=mature
created: Dec 30 15:33:29 2014 current: Dec 30 16:26:14 2014
diff: 3165(s) hard: 14400(s) soft: 11120(s)
last: Dec 30 16:26:14 2014 hard: 0(s) soft: 0(s)
current: 421280(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5251 hard: 0 soft: 0
sadb_seq=0 pid=38134 refcnt=1
Am I expecting to see "C: deflate" in here twice?
(again, like the other emails, I've changed a a few IP addresses to obfuscate the real servers, but I changed them the same way as in the other email).
Thanks for your help
Ari
--
-------------------------->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
More information about the freebsd-stable
mailing list