On Mon, Apr 10, 2006 at 03:04:58PM -0700, Andrew Wenlang Zhu wrote:
> (Re-post from security discuession)
I must not be getting [EMAIL PROTECTED] mail. Odd...
> We have systems using manual key IPSEC on Solaris 8. IPsec works fine, and
> the traffic can go through with IPsec.
>
> Mar 14 20:45:04 ipsecah: [ID 800123 kern.error] ESP Authentication failed
> for spi 0x64f6644e, dst xxxxxx. Mar 14 20:50:09 last message repeated 3
> times
>
> I checked the configuration on two peer systems, the configurations
> matches, and the traffic between them flows well.
>
> What could cause this error message, and how to get rid of them?
There are several causes:
1.) Packet corruption. It happens, and sometimes it passes the
Ethernet CRC or is introduced by a buggy router. ESP's
authentication will catch such corruption and drop the bug.
2.) Attacker of some kind --> often someone will send you ESP traffic
with the same SPI in the hopes of something happening.
Authentication failing is one of the most common causes of this.
3.) Corner-case bug on your receiving system. It's possible that the
corruption is after your machine gets the bits on the wire.
Buggy drivers, buggy IP code, it could be anything.
You should upgrade to Solaris 10 or later, where the ipdrop kstats and other
supporting functions can help you determine more about such buggy packets.
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
