> 在 2016年7月19日,23:03,Ilan Tayari <il...@mellanox.com> 写道: > >> On the receiving side (e.g. fd01:1b10:1000::1) I see the decrypted packets >> with >> the 2.6.23 kernel: >> but NOT with the newer kernel: > > Hi Joerg, > > First steps to debug this would be: > cat /proc/net/xfrm_stat > ip -s xfrm state > ip -s xfrm policy > > First command will show some error accounting, which can point to the culprit > code. > Second and third command will show existing objects, and some statistics like > when the last packet was used with them. > > Last thing - for your safety you should keep those session keys private. > > Ilan.
Hi Joerg, I think maybe you can try tcpdump -w to write the captured packets into a file and use tools like Wireshark to analyze and see what is going wrong.