RV: [Openswan Users] RE: My ipsec0 device drops nat-t packets

Ivan Lopez ilopez at enress.gov.ar
Thu Mar 10 12:27:58 CET 2005 

Problem solved. It was only a kernel problem, not openswan problem. I´m using Debian 2.4.26 kernel with 26sec backport now and it seems work very well. But, of course, I haven´t ipsec0 interface anymore. The question is: Can you give some URL where I can see how a packet traverses de iptables chains and where 26sec works?. I´read some posts in this mailing list and some pdf from xelerance and I started to build my packet filter rules from these, but I´d like to know a bit more.
Best Regards.
Ivan


-----Mensaje original-----
De: Ing. Ivan Lopez [mailto:ivan_n_lopez at hotmail.com] 
Enviado el: Sábado, 05 de Marzo de 2005 13:50
Para: users at openswan.org
Asunto: [Openswan Users] RE: My ipsec0 device drops nat-t packets


Hi people:
Thanks for your answer. Unafortunelly it still doen't work I was trying a lot of things whitout luck. It' works fine when I connect my roadwarrior (w2k with NAT-T patch) to Internet from a dialed connection (I´had public IP in that case). But it doesn't work for my cablemodem (private IP in that case).

My ipsec config follows:
ipsec.conf:
----------
# basic configuration

config setup

# Debug-logging controls: "none" for (almost) none, "all" for lots.

interfaces=%defaultroute

klipsdebug=none

plutodebug=none

uniqueids=yes

nat_traversal=yes

overridemtu=1300

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/1

# Conexiones

# PC Wxp omalvasio L2TP/IPSEC

conn L2TP-BFAMA

#type=transport

authby=rsasig

pfs=no

# Gateway lado izquierdo (bfama)

left=45.45.45.45

leftnexthop=45.45.45.1

leftid=....

leftprotoport=17/0

#

# Lado derecho: PC Omalvasio

#

right=%any

rightsubnet=vhost:%no,%priv

rightid=....

rightrsasigkey=%cert

rightnexthop=%defaultroute

rightprotoport=17/1701

#Autorizo la conexion, pero no la inicio

auto=add

conn L2TP-BFAMA-old

#type=transport

authby=rsasig

pfs=no

# Gateway lado izquierdo (bfama)

left=45.45.45.45

leftnexthop=45.45.45.1

leftid="..."

leftcert=openswan-cert.pem

leftprotoport=17/1701

#

# Lado derecho: PC Omalvasio

#

right=%any

rightsubnet=vhost:%no,%priv

rightid="...."

rightrsasigkey=%cert

rightnexthop=%defaultroute

rightprotoport=17/1701

#Autorizo la conexion, pero no la inicio

auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf


I can't view any logs from l2tpd (when roadwarrior is gehind NAT) because I think l2tpd never got any packet. ipsec0 interface drops everything. In klips debug I noticed there are messages saying "Mar 5 11:06:47 bfama
kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy."  What are those?

Here is a piece of klips debug:
Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: ips_said.dst set to 200.68.215.117.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 24 0pcd7e1f10 with processor 0pc0302570.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process:

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: found address family=2, AF_INET, 255.255.255.255.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: found dst mask address.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute struct already allocated

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_parse: extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/32:1701

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 26 0pcd7e1f28 with processor 0pc02fc6e0.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_protocol_process: c7e21e00

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_protocol_process: protocol = 17.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: parsing message type 14(x-addflow(eroute)) with msg_parser 0pc0300560.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse: .

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse: calling breakeroute and/or makeroute for 45.45.45.45/32->200.68.215.117/32

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse: calling makeroute.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: attempting to allocate 192 bytes to insert eroute for 45.45.45.45/32->200.68.215.117/32,
SA: esp.ee3ab5c6 at 200.68.215.117, PID:2855, skb=0p00000000, ident:NULL->NULL

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: 141a1000c82dadf3c844d775110006a506a50000 / 141aff00ffffffffffffffffff00ffffffff0000

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: calling rj_addroute now

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: pid=02855 count= 0 lasttime= 0 45.45.45.45/32 -> 200.68.215.117/32 => esp.ee3ab5c6 at 200.68.215.117

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: succeeded.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse: makeroute call successful.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build:

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0pc7e21b7c pfkey_ext=0pc7e21cdc *pfkey_ext=0p00000000.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0pc7e21b7c pfkey_ext=0pc7e21cdc *pfkey_ext=0pc3d2de20.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_sa_build: spi=ee3ab5c6 replay=0 sa_state=0 auth=0 encrypt=0 flags=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=5 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=45.45.45.45:1701.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=6 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=200.68.215.117:1701.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=21 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=45.45.45.45:0.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=22 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=200.68.215.117:0.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=23 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=255.255.255.255:0.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: exttype=24 proto=0 prefixlen=0

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found address=255.255.255.255:0.

Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:184 id:25220 frag_off:0 ttl:114 proto:17 (UDP) chk:53205 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt without Non-ESP - spi=0x8e1d5296

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes from ESPinUDP packet

Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25220 frag_off:0 ttl:114 proto:50 chk:53205 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=eth0 dev=eth0

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: assigning packet ownership to virtual device ipsec0 from physical device eth0.

Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25220 frag_off:0 ttl:114 proto:50 chk:53205 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap (50) from 200.68.215.117 -> 45.45.45.45

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45 requested.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with expected SA source address policy.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 First SA in group.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
tdbp->ips_natt_type=0 : bad

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.

Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: decap_once failed: -12

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:184 id:25229 frag_off:0 ttl:114 proto:17 (UDP) chk:53196 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt without Non-ESP - spi=0x8e1d5296

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes from ESPinUDP packet

Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25229 frag_off:0 ttl:114 proto:50 chk:53196 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=eth0 dev=eth0

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: assigning packet ownership to virtual device ipsec0 from physical device eth0.

Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25229 frag_off:0 ttl:114 proto:50 chk:53196 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap (50) from 200.68.215.117 -> 45.45.45.45

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45 requested.

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with expected SA source address policy.

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 First SA in group.

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
tdbp->ips_natt_type=0 : bad

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.

Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: decap_once failed: -12

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:184 id:25251 frag_off:0 ttl:114 proto:17 (UDP) chk:53174 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt without Non-ESP - spi=0x8e1d5296

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes from ESPinUDP packet

Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25251 frag_off:0 ttl:114 proto:50 chk:53174 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=eth0 dev=eth0

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: assigning packet ownership to virtual device ipsec0 from physical device eth0.

Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25251 frag_off:0 ttl:114 proto:50 chk:53174 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap (50) from 200.68.215.117 -> 45.45.45.45

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45 requested.

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with expected SA source address policy.

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 First SA in group.

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
tdbp->ips_natt_type=0 : bad

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.

Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: decap_once failed: -12

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:184 id:25274 frag_off:0 ttl:114 proto:17 (UDP) chk:53151 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt without Non-ESP - spi=0x8e1d5296

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes from ESPinUDP packet

Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25274 frag_off:0 ttl:114 proto:50 chk:53151 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=eth0 dev=eth0

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: assigning packet ownership to virtual device ipsec0 from physical device eth0.

Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:176 id:25274 frag_off:0 ttl:114 proto:50 chk:53151 saddr:200.68.215.117 daddr:45.45.45.45

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap (50) from 200.68.215.117 -> 45.45.45.45

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45 requested.

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with expected SA source address policy.

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 First SA in group.

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
tdbp->ips_natt_type=0 : bad

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.

Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: decap_once failed: -12

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:07:02 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:100 id:25277 frag_off:0 ttl:114 proto:17 (UDP) chk:53232 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: IKE packet - not handled here

Mar 5 11:07:02 bfama kernel: IP12_drop_LCL2VPN:01 IN= OUT=ipsec0 SRC=45.45.45.45 DST=200.68.215.117 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=2119 DF PROTO=UDP SPT=4500 DPT=11364 LEN=80

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:07:02 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:116 id:25278 frag_off:0 ttl:114 proto:17 (UDP) chk:53215 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: IKE packet - not handled here

Mar 5 11:07:02 bfama kernel: debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=6 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=0.0.0.0:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=21 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=45.45.45.45:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=22 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=200.68.215.117:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=23 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=255.255.255.255:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=24 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=255.255.255.255:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: pfkey_msg=0pc2fb46f0 allocated 184 bytes, &(extensions[0])=0pc7e21cdc

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[1] (type=1)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[5] (type=5)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[6] (type=6)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[21] (type=21)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[22] (type=22)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[23] (type=23)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[24] (type=24)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions permitted=05e00063, seen=01e00063, required=01e00043.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 184 bytes...

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at 0pc3054210.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_addflow_parse: sending up x_addflow reply message for satype=11(INT) (proto=61) to socket=0pc3b409d0 succeeded.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_addflow_parse: extr->ips cleaned up and freed.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing SA=%%trap(0pc55bdc00), SAref=175, table=0(0pce804000), entry=175 from the refTable.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:%%trap, ref:-1 reference count decremented.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 88 bytes for downward message.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for parsing.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing message ver=2, type=4, errno=0, satype=3(ESP), len=11, res=0, seq=16, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref requested... head=176, cont=256, tail=255, listsize=256.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating SAref=176, table=0, entry=176 of 65536.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528 bytes for ipsec_sa struct=0pc55bdc00 ref=176.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
extr->ips=0pc55bdc00.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: satype 3 lookups to proto=50.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing message ver=2, type=4(delete), errno=0, satype=3(ESP), len=11, res=0, seq=16, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: satype 3(ESP) conversion to proto gives 50 for msg_type 4(delete).

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions permitted=00000063, required=00000063.

Mar 5 11:07:02 bfama kernel: kl>klips_debug:pfkey_msg_build: copying 24 bytes from extensions[1] (type=1)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[5] (type=5)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[6] (type=6)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions permitted=00000063, seen=00000063, required=00000063.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 88 bytes...

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at 0pc3054210.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: sending up delete reply message for satype=3(ESP) to socket=0pc3b409d0 succeeded.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing SA=esp.ee3ab5c6 at 200.68.215.117(0pc55bdc00), SAref=176, table=0(0pce804000), entry=176 from the refTable.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.ee3ab5c6 at 200.68.215.117, ref:-1 reference count decremented.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 88 bytes for downward message.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for parsing.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing message ver=2, type=4, errno=0, satype=3(ESP), len=11, res=0, seq=17, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref requested... head=177, cont=256, tail=255, listsize=256.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating SAref=177, table=0, entry=177 of 65536.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528 bytes for ipsec_sa struct=0pc55bdc00 ref=177.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
extr->ips=0pc55bdc00.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: satype 3 lookups to proto=50.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing message ver=2, type=4(delete), errno=0, satype=3(ESP), len=11, res=0, seq=17, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: satype 3(ESP) conversion to proto gives 50 for msg_type 4(delete).

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions permitted=00000063, required=00000063.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=1(security-association) remain=9.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9
ext_type=1(security-association) ext_len=3 parsing ext 0pcd865c70 with parser pfkey_sa_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_parse: successfully found len=3 exttype=1(security-association) spi=8e1d5296 replay=0 state=1 auth=0 encrypt=0 flags=0 ref=-1.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
1(security-association) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=5(source-address) remain=6.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=6
ext_type=5(source-address) ext_len=3 parsing ext 0pcd865c88 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=5(source-address) family=2(AF_INET) address=200.68.215.117 proto=0 port=1701.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
5(source-address) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=6(destination-address) remain=3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=3
ext_type=6(destination-address) ext_len=3 parsing ext 0pcd865ca0 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=6(destination-address) family=2(AF_INET) address=45.45.45.45 proto=0 port=1701.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
6(destination-address) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions permitted=00000063, seen=00000063, required=00000063.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 1 0pcd865c70 with processor 0pc0302240.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_process: .

Mar 5 11:07:02 bfama kernel: klips_debug: ipsec_alg_sa_init() :entering for encalg=0, authalg=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 5 0pcd865c88 with processor 0pc0302570.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found address family=2, AF_INET, 200.68.215.117.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found src address.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: allocating 16 bytes for saddr.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 6 0pcd865ca0 with processor 0pc0302570.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found address family=2, AF_INET, 45.45.45.45.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found dst address.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: allocating 16 bytes for saddr.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: ips_said.dst set to 45.45.45.45.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing message type 4(delete) with msg_parser 0pc02fe9f0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: .

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45 requested.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_delchain: passed SA:esp.8e1d5296 at 45.45.45.45

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_delchain: unlinking and delting SA:esp.8e1d5296 at 45.45.45.45<6>.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_del: deleting SA:esp.8e1d5296 at 45.45.45.45, hashval=179.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_del: successfully deleted first ipsec_sa in chain.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing SA=esp.8e1d5296 at 45.45.45.45(0pcdf09c00), SAref=172, table=0(0pce804000), entry=172 from the refTable.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:-1 reference count decremented.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: pfkey_msg=0pc1c1ccb0 allocated 88 bytes, &(extensions[0])=0pc7e21cec

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[1] (type=1)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[5] (type=5)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24 bytes from extensions[6] (type=6)

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions permitted=00000063, seen=00000063, required=00000063.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 88 bytes...

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at 0pc3054210.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: sending up delete reply message for satype=3(ESP) to socket=0pc3b409d0 succeeded.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing SA=esp.8e1d5296 at 45.45.45.45(0pc55bdc00), SAref=177, table=0(0pce804000), entry=177 from the refTable.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa SA:esp.8e1d5296 at 45.45.45.45, ref:-1 reference count decremented.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 120 bytes for downward message.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for parsing.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing message ver=2, type=15, errno=0, satype=11(INT), len=15, res=0, seq=18, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref requested... head=178, cont=256, tail=255, listsize=256.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating SAref=178, table=0, entry=178 of 65536.

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528 bytes for ipsec_sa struct=0pcdf09c00 ref=178.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
extr->ips=0pcdf09c00.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing message ver=2, type=15(x-delflow(eroute)), errno=0, satype=11(INT), len=15, res=0, seq=18, pid=2855.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=13

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions permitted=05e00c03, required=00000001.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=21(X-source-flow-address) remain=13.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=13
ext_type=21(X-source-flow-address) ext_len=3 parsing ext 0pc1c1ccc0 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=21(X-source-flow-address) family=2(AF_INET) address=45.45.45.45 proto=0 port=1701.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
21(X-source-flow-address) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=22(X-dest-flow-address) remain=10.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=10
ext_type=22(X-dest-flow-address) ext_len=3 parsing ext 0pc1c1ccd8 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=22(X-dest-flow-address) family=2(AF_INET) address=200.68.215.117 proto=0 port=1701.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
22(X-dest-flow-address) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=23(X-source-mask) remain=7.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=7
ext_type=23(X-source-mask) ext_len=3 parsing ext 0pc1c1ccf0 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=23(X-source-mask) family=2(AF_INET) address=255.255.255.255 proto=0 port=65535.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
23(X-source-mask) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
type=24(X-dest-mask) remain=4.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=4
ext_type=24(X-dest-mask) ext_len=3 parsing ext 0pc1c1cd08 with parser pfkey_address_parse.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
exttype=24(X-dest-mask) family=2(AF_INET) address=255.255.255.255 proto=0 port=65535.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
24(X-dest-mask) parsed.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found address family=2, AF_INET, 255.255.255.255.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found src mask address.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute struct already allocated

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/0:1701

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 24 0pc1c1cd08 with processor 0pc0302570.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found address family=2, AF_INET, 255.255.255.255.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found dst mask address.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute struct already allocated

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/32:1701

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: successful.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing ext 26 0pc1c1cd20 with processor 0pc02fc6e0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_protocol_process: c7e21e00

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_protocol_process: protocol = 17.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing message type 15(x-delflow(eroute)) with msg_parser 0pc0300d30.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_delflow_parse: .

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_delflow_parse: calling breakeroute for 45.45.45.45/32->200.68.215.117/32

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_breakroute: attempting to delete eroute for 45.45.45.45/32:1701->200.68.215.117/32:1701 17

Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_breakroute: deleted eroute=0pcd7e1b70, ident=0p00000000->0p00000000, first=0p00000000, last=0p00000000

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build:

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0pc7e21c00 pfkey_ext=0pc7e21cdc *pfkey_ext=0p00000000.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0pc7e21c00 pfkey_ext=0pc7e21cdc *pfkey_ext=0pc06f2e60.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_build: spi=00000000 replay=0 sa_state=0 auth=0 encrypt=0 flags=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=21 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=45.45.45.45:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=22 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address=200.68.215.117:0.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: successful created len: 3.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: exttype=23 proto=0 prefixlen=0

Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found address family AF_INET.

Mar 5 11:07:05 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:07:05 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:29 id:25299 frag_off:0 ttl:114 proto:17 (UDP) chk:53281 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:07:05 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from 200.68.215.117.

Mar 5 11:07:18 bfama kernel: klips_debug:@ flags = 6 @key=0pcdfecf90 key =
00000000->00000000 @mask=0p00000000

Mar 5 11:07:18 bfama kernel: klips_debug:@ flags = 6 @key=0pcdfecfa4 key =
ffffffff->ffffffff @mask=0p00000000

Mar 5 11:07:18 bfama kernel: klips_debug: off = 0

Mar 5 11:07:18 bfama kernel: klips_debug:ipsec_eroute_get_info:
buffer=0pc6658000, *start=0p00000000, offset=0, length=3072

Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: for: rn=0pc12c87b8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000

Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: processing leaves, rn=0pc12c87e8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff

Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: while: base=0p00000000 rn=0pc12c87b8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000

Mar 5 11:07:25 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:07:25 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:29 id:25315 frag_off:0 ttl:114 proto:17 (UDP) chk:53265 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:07:25 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from 200.68.215.117.

Mar 5 11:07:45 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [2].

Mar 5 11:07:45 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:29 id:25444 frag_off:0 ttl:114 proto:17 (UDP) chk:53136 saddr:200.68.215.117:11364 daddr:45.45.45.45:4500

Mar 5 11:07:45 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from 200.68.215.117.

Have you got any idea. Thanks in advance
Ivan.
--------------------------------



Ivan Lopez wrote:

> In that scenario, IPSEC connection stablished perfectly but then 
> ipsec0 device starts to drops packets (I can see it with ifconfig)

Could be an MTU problem. Did you check the logs for errors? See also: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#MTUproblems

Jacco
--
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
_______________________________________________
Users mailing list
Users at openswan.org http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list