On 08/12/2014 12:33 PM, Markus Wernig wrote: > sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 > address_src: A.B.C.D > address_dst: 10.x.y.z > spirange: min 0x00000100 max 0xffffffff > sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389 > sa: spi 0xfe52d794 auth none enc none > state mature replay 0 flags 0<> > address_src: A.B.C.D > address_dst: 10.x.y.z > sadb_update: satype esp vers 2 len 41 seq 20 pid 25389 > sa: spi 0xfe52d794 auth hmac-sha1 enc aes > state mature replay 64 flags 0x204<tunnel,udpencap> > lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0 > lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0 > address_src: A.B.C.D > address_dst: 10.x.y.z > key_auth: bits 160: ... > key_encrypt: bits 128: ... > identity_src: type ufqdn id 0: UFQDN/[email protected] > identity_dst: type fqdn id 0: FQDN/vpn.doe.com > udpencap: udpencap port 4500 > tag: ipsec-UFQDN/[email protected] > sadb_update: satype esp vers 2 len 34 seq 20 pid 25389 > sa: spi 0xfe52d794 auth hmac-sha1 enc aes > state mature replay 64 flags 0x204<tunnel,udpencap> > lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0 > lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0 > address_src: A.B.C.D > address_dst: 10.x.y.z > identity_src: type ufqdn id 0: UFQDN/[email protected] > identity_dst: type fqdn id 0: FQDN/vpn.doe.com > udpencap: udpencap port 4500 > tag: ipsec-UFQDN/[email protected] > sadb_add: satype esp vers 2 len 41 seq 21 pid 25389 > sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes > state mature replay 64 flags 0x204<tunnel,udpencap> > lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0 > lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0 > address_src: 10.x.y.z > address_dst: A.B.C.D > key_auth: bits 160: ... > key_encrypt: bits 128: ... > identity_src: type fqdn id 0: FQDN/vpn.doe.com > identity_dst: type ufqdn id 0: UFQDN/[email protected] > udpencap: udpencap port 4500 > tag: ipsec-UFQDN/[email protected] > sadb_add: satype esp vers 2 len 34 seq 21 pid 25389 > sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes > state mature replay 64 flags 0x204<tunnel,udpencap> > lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0 > lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0 > address_src: 10.x.y.z > address_dst: A.B.C.D > identity_src: type fqdn id 0: FQDN/vpn.doe.com > identity_dst: type ufqdn id 0: UFQDN/[email protected] > udpencap: udpencap port 4500 > tag: ipsec-UFQDN/[email protected]
But really, I think this is the problem: Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD SA spi 0xcb320247 Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0 Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: failed to load flow Aug 12 16:56:18 tunnel iked[22215]: ikev2_dispatch_cert: failed to send ike auth It seems that the flow that comes from &sa->sa_flows in ikev2.c::ikev2_childsa_enable does not have its AF set. How could this happen?
