Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Oct 2009 10:00:35 +0200
From:      "Zaidi, Abbas" <Abbas_Zaidi@mentor.com>
To:        "VANHULLEBUS Yvan" <vanhu@FreeBSD.org>
Cc:        freebsd-net@freebsd.org, "Ansari, Fakhir" <Fakhir_Ansari@mentor.com>, "Khan, Fayyaz" <Fayyaz_Khan@mentor.com>
Subject:   RE: FreeBSD ipsec tunnel mode packet lost
Message-ID:  <A19AEE62D2942649A4C49BCD0878E421D5D5F9@eu2-mail.mgc.mentorg.com>
In-Reply-To: <20090930120822.GA73383@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thanks Yvan for the help

The problem got solved by changing the in security policy, on SGW, from
ipsec level require to use, but I'm still not clear what the real issue
was. Why we can't use require on it.

Thanks,=20

-----Original Message-----
From: VANHULLEBUS Yvan [mailto:vanhu@FreeBSD.org]=20
Sent: Wednesday, September 30, 2009 6:08 PM
To: Zaidi, Abbas
Cc: freebsd-net@freebsd.org; Ansari, Fakhir; Khan, Fayyaz
Subject: Re: FreeBSD ipsec tunnel mode packet lost

On Wed, Sep 30, 2009 at 01:16:47PM +0200, Zaidi, Abbas wrote:
> Hi

Hi.


> I am having this strange problem establishing tunnel between FreeBSD
and
> linux, my network setup is
[the setup]
> Once the SAs get negotiated I send a ping request from FreeBSDe to
> Linuxe. The packets get an ipsec header applied at FreeBSDr reaches
> Linuxe a reply to packet comes back at Link1::e interface of FreeBSDr
> and then packet gets lost.
>=20
> I am not using gif. Do I need it?

Probably not.


> I don't think any thing is wrong with ipsec as the seq of both in and
> out sa are incrementing on every echo request reply.

please check output of "netstat -s" (mainly sections esp, ipsec6,
ip6), and see if some counters increase for each dropped packet.


[...]
> There is one strange thing about security policies as of linux in case
> of tunnel there are 3 policies added (in, out, fwd) where as in
FreeBSD
> it only shows 2 (in, out).

This is specific to Linux's IPsec stack implementation, just forget
anything related to "fwd".....


Yvan.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A19AEE62D2942649A4C49BCD0878E421D5D5F9>