From owner-freebsd-net@FreeBSD.ORG Mon Dec 29 13:20:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C44D106564A for ; Mon, 29 Dec 2008 13:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 0C09A8FC14 for ; Mon, 29 Dec 2008 13:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 1363441C65E; Mon, 29 Dec 2008 14:20:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id flvQapWkai6g; Mon, 29 Dec 2008 14:20:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id B7B0241C64C; Mon, 29 Dec 2008 14:20:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id C0E5A4448D5; Mon, 29 Dec 2008 13:19:16 +0000 (UTC) Date: Mon, 29 Dec 2008 13:19:16 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Gabe In-Reply-To: <20081229124113.A28465@maildrop.int.zabbadoz.net> Message-ID: <20081229131719.K28465@maildrop.int.zabbadoz.net> References: <204586.11713.qm@web83809.mail.sp1.yahoo.com> <20081229124113.A28465@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: +ipsec_common_input: no key association found for SA X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2008 13:20:07 -0000 On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote: > On Mon, 29 Dec 2008, Gabe wrote: > >> Anyone know what causes this error message? >> >> +ipsec_common_input: no key association found for SA >> 69.x.x.x[0]/04e317a1/50 > > from what I remember without looking, this means that you ahve an > IPsec policy for src/dst but no SA matching this pair or rather no > matching destination + protocol + security parameter index (see rfc2401). > > The easiest thing you can do is to check > setkey -Da > for this tripple the time the printf happens. > > The first thing in the printf is your destination IP (your local side), > the next is the SPI in hex and last is the protocol (50 == ESP). With > that you can see if what the peer sends you is what you negotiated/expected. > > Are you using static keying or an ike daemon like racoon? > Do this happen for all packets or just randomly or exactly every n > minutes/hours? > > If you find an exact match of the triplet in setkey -Da you may also > want to check if there is another one and/or the state of the entry/entries > (state=.. at the end of the fourth line). > If it's not "mature" check the time ralted values to see if there is > an expiry problem.. One more thing - you may want to flip the sysctl to net.key.preferred_oldsa=0 and see if that makes a change. But beware - this is going to affect all your peers, not just one, so if you have 99 working and 1 not you'll most likely kill the other 99. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.