Date: Mon, 29 Dec 2008 22:25:32 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Gabe <nrml@att.net> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA Message-ID: <20081229222334.D28465@maildrop.int.zabbadoz.net> In-Reply-To: <20081229221714.G28465@maildrop.int.zabbadoz.net> References: <847488.86907.qm@web83814.mail.sp1.yahoo.com> <20081229221714.G28465@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > On Mon, 29 Dec 2008, Gabe wrote: > >> This is what setkey -Da returns: >> box# setkey -Da >> Invalid extension type >> Invalid extension type >> box# > > you are running with the NAT-T patch (as I see you say further down). > Try /usr/local/sbin/setkey -Da in that case. One more thing; if you are comparing SPIs from the log with setkey, you can also run tcpdump -s 0 -vv -ln proto 50 and it will show you something like ... ESP(spi=0x12345678,seq=0x..), so you could as well compare what you receive on the wire with what you get in the log. This would help to eliminiate the case of a promblematic patch. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229222334.D28465>