Hi, Same here, but between 2 hosts in the same subnet (very basic network setup). I was also waiting for 4.9 (and time to investigate...)
kind regards, Robert On Mon, 2 May 2011 13:30:34 +0000 (UTC) Stuart Henderson <[email protected]> wrote: > I see something similar which I've been trying to track down but not > really succeeding. The thing we have in common is multiple subnets, > I wonder if this is a factor... > > > (and this setup has always been post-4.4 > On 2011-05-02, Jakob Alvermark <[email protected]> wrote: > > Hi, > > > > I am getting some strange problems with IPSEC tunnels. > > There are 5 sites connected using IPSEC tunnels, which used to work > > perfectly, > > but since upgrading to 4.8 (from 4.4), > > tunnels started failing, seemly at random intervals. > > To investigate I set up two machines in the lab and they exhibit the same > > behavior: > > After a seemingly random amount of time, when there is a renegotiation of an > > SA due to its lifetime expired, > > traffic will stop flowing (I have a ping running). 'ipsecctl -sa' and > > 'netstat > > -rn' shows everything as normal. > > When that SA lifetime expires and a new SA is negotiated it comes back > > again. > > > > I recompiled the kernel with 'option ENCDEBUG' and set > > net.inet.ip.encdebug=1 > > and when it fails > > I get 'esp_input_cb(): authentication failed for packet in SA > > xxx.xxx.xxx.97/6e68c6ae' > > > > The machines are installed with stock OpenBSD 4.8, nothing special about the > > configuration. > > ipsec.conf is very simple, just one line: > > > > ike esp from {192.168.1.9/24 172.16.1.0/24} to {192.168.31.0/24 > > 192.168.32.254} local xxx.xxx.xxx.97 peer xxx.xxx.xxx.99 > > > > Public keys copied across, isakmpd started with flags "-K -v" > > > > Does anyone have any ideas about this? > > > > Thank you > > > > Jakob Alvermark > > [email protected] > > BSDLabs AB > > Solna, Sweden > > 556759-7652
