Date: Mon, 29 Dec 2008 22:25:32 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Gabe <nrml@att.net> Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA Message-ID: <20081229222334.D28465@maildrop.int.zabbadoz.net> In-Reply-To: <20081229221714.G28465@maildrop.int.zabbadoz.net> References: <847488.86907.qm@web83814.mail.sp1.yahoo.com> <20081229221714.G28465@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote:
> On Mon, 29 Dec 2008, Gabe wrote:
>
>> This is what setkey -Da returns:
>> box# setkey -Da
>> Invalid extension type
>> Invalid extension type
>> box#
>
> you are running with the NAT-T patch (as I see you say further down).
> Try /usr/local/sbin/setkey -Da in that case.
One more thing; if you are comparing SPIs from the log with setkey,
you can also run
tcpdump -s 0 -vv -ln proto 50
and it will show you something like
... ESP(spi=0x12345678,seq=0x..),
so you could as well compare what you receive on the wire with what
you get in the log. This would help to eliminiate the case of a
promblematic patch.
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229222334.D28465>