Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Dec 2008 12:52:51 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Gabe <nrml@att.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: +ipsec_common_input: no key association found for SA
Message-ID:  <20081229124113.A28465@maildrop.int.zabbadoz.net>
In-Reply-To: <204586.11713.qm@web83809.mail.sp1.yahoo.com>
References:  <204586.11713.qm@web83809.mail.sp1.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Dec 2008, Gabe wrote:

> Anyone know what causes this error message?
>
> +ipsec_common_input: no key association found for SA 69.x.x.x[0]/04e317a1/50

from what I remember without looking, this means that you ahve an
IPsec policy for src/dst but no SA matching this pair or rather no
matching destination + protocol + security parameter index (see rfc2401).

The easiest thing you can do is to check
   setkey -Da
for this tripple the time the printf happens.

The first thing in the printf is your destination IP (your local side),
the next is the SPI in hex and last is the protocol (50 == ESP). With
that you can see if what the peer sends you is what you negotiated/expected.

Are you using static keying or an ike daemon like racoon?
Do this happen for all packets or just randomly or exactly every n
minutes/hours?

If you find an exact match of the triplet in setkey -Da you may also
want to check if there is another one and/or the state of the entry/entries
(state=.. at the end of the fourth line).
If it's not "mature" check the time ralted values to see if there is
an expiry problem..


/bz

-- 
Bjoern A. Zeeb                      The greatest risk is not taking one.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229124113.A28465>