After migrating to OBSD 4.4 ( from 4.1 ) I sometimes find that for a
particular VPN ( tunnel mode ) :
1. The corresponding flows are established, as shown by
netstat -rnf encap
and
ipsecctl -sflow
2. The packets sent to the remote site show up in
tcpdump -leni enc0
with a valid SPI, as confirmed by
ipsecctl -ssa
3. BUT NO corresponding esp packets leave the external interface:
tcpdump -leni vr1 ip host <remote-peer>
Only key exchange packets can be seen ( showing that the route to
<remote-peer> is indeed via the external interface ).
The other VPN tunnels work just fine. In this situation "Tear down" and
reestablish the flows and/or SAs does not help. Restart isakmpd helps.
Any ideas?
Regards
