I see something similar which I've been trying to track down but not
really succeeding. The thing we have in common is multiple subnets,
I wonder if this is a factor...
(and this setup has always been post-4.4
On 2011-05-02, Jakob Alvermark <jakob.alverm...@bsdlabs.com> wrote:
> Hi,
>
> I am getting some strange problems with IPSEC tunnels.
> There are 5 sites connected using IPSEC tunnels, which used to work perfectly,
> but since upgrading to 4.8 (from 4.4),
> tunnels started failing, seemly at random intervals.
> To investigate I set up two machines in the lab and they exhibit the same
> behavior:
> After a seemingly random amount of time, when there is a renegotiation of an
> SA due to its lifetime expired,
> traffic will stop flowing (I have a ping running). 'ipsecctl -sa' and 'netstat
> -rn' shows everything as normal.
> When that SA lifetime expires and a new SA is negotiated it comes back again.
>
> I recompiled the kernel with 'option ENCDEBUG' and set net.inet.ip.encdebug=1
> and when it fails
> I get 'esp_input_cb(): authentication failed for packet in SA
> xxx.xxx.xxx.97/6e68c6ae'
>
> The machines are installed with stock OpenBSD 4.8, nothing special about the
> configuration.
> ipsec.conf is very simple, just one line:
>
> ike esp from {192.168.1.9/24 172.16.1.0/24} to {192.168.31.0/24
> 192.168.32.254} local xxx.xxx.xxx.97 peer xxx.xxx.xxx.99
>
> Public keys copied across, isakmpd started with flags "-K -v"
>
> Does anyone have any ideas about this?
>
> Thank you
>
> Jakob Alvermark
> jakob.alverm...@bsdlabs.com
> BSDLabs AB
> Solna, Sweden
> 556759-7652
