I had a FreeBSD IPSEC tunnel set up between two machines that stopped working when I upgraded one of the machines to a newer version of 4.7-STABLE. I'm not sure what the problem is. When I watch the packets on the outside interfaces, I see the packet go out from one host, the older (4.7-RELEASE) machine replies, but the new one never moves that reply packet back across the tunnel.
'netstat -sn -p ipsec' is reporting that packets are "violating process security policy". I'm pretty sure that is the problem, but I'm not sure what that means. Here's setkey -DP (4.7-STABLE): 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 netstat -sn -p ipsec (4.7-STABLE): ipsec: 1688 inbound packets processed successfully 1682 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: blowfish-cbc: 1688 588 outbound packets processed successfully 0 outbound packets violated process security policy 11 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: blowfish-cbc: 588 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message