state of sasyncd + udpencap port state

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

state of sasyncd + udpencap port state

Martin Hedenfalk-2
Hello all,

I have two questions:

1) What is the state of sasyncd in 3.8? (I'm currently running stable
without any patches). The only hint that there would be known bugs or
that sasyncd would be incomplete is this email:
http://archives.neohapsis.com/archives/openbsd/2005-10/1804.html.

2) I have an IPsec tunnel from a soekris box (with custom kernel)
through a NAT. I ping through the tunnel and the replies come back to
the soekris. UDP encapsulation works fine until I reboot the NAT box.
After rebooting the NAT box, the IPsec gateway continues to send back
replies on the old port (51884), but the NAT box has chosen another
source port, obviously.

tcpdump on the NAT box after reboot:
09:51:49.835997 217.13.255.140.64819 > 217.13.255.183.4500: udpencap:
esp 217.13.255.140 > 217.13.255.183 spi 0x5ACCA1E0 seq 241 len 132
09:51:49.837076 217.13.255.183.4500 > 217.13.255.140.51884: udpencap:
esp 217.13.255.183 > 217.13.255.140 spi 0x89134FAD seq 192 len 132

Before reboot, the NAT machine (217.13.255.140) sent packets with source
port 51884 and everything worked fine.

Why is 217.13.255.183 (the IPsec gateway) still sending back replies to
the old port (51884) instead of the new port 64819?

The issue is resolved after the SA expires and a new SA is set up.

Thanks for any help or hints!
/Martin