----------------------------------------------------------------------------------
@MSGID: 2:5034/10.1 1f206f21
@REPLY: grosbein.net 579f3ed6
@CHRS: CP866 2
@PID: wfido 0.0.1/a
@TID: FTN::Pkt 1.02
@Posted: 04 Feb 26 15:40:47
Hello, Eugene!
SA>> с tunnel трафик не ходит.
EG> В /etc/sysctl.conf добавь:
EG> net.key.preferred_oldsa=0
EG> net.inet.ipsec.filtertunnel=1
EG> И либо перезагрузись, либо удали все политики командами:
EG> setkey -F; setkey -FP
# sysctl net.key.preferred_oldsa=0
net.key.preferred_oldsa: 1 -> 0
# sysctl net.inet.ipsec.filtertunnel=1
net.inet.ipsec.filtertunnel: 0 -> 1
# setkey -F; setkey -FP
# setkey -D
No SAD entries.
# setkey -DP
No SPD entries.
После подключения:
ipsec0: flags=8051
metric 0 mtu 1400
description: ikev2: 10.10.10.2
client IP>
tunnel inet -->
inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
groups: ipsec r1g
reqid: 1
nd6 options=29
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
[skip]
10.10.10.1 link#12 UHS lo0
10.10.10.2 link#12 UH ipsec0
[skip]
# setkey -DP
10.10.10.2[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/-/unique:1
created: Feb 4 15:13:15 2026 lastused: Feb 4 15:13:20 2026
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=42 seq=5 pid=78425 scope=global
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/-/unique:1
spid=48 seq=4 pid=78425 scope=ifnet ifname=ipsec0
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/-/unique:1
spid=50 seq=3 pid=78425 scope=ifnet ifname=ipsec0
refcnt=1
0.0.0.0/0[any] 10.10.10.2[any] any
out ipsec
esp/tunnel/-/unique:1
created: Feb 4 15:13:15 2026 lastused: Feb 4 15:13:15 2026
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=43 seq=2 pid=78425 scope=global
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/-/unique:1
spid=49 seq=1 pid=78425 scope=ifnet ifname=ipsec0
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/-/unique:1
spid=51 seq=0 pid=78425 scope=ifnet ifname=ipsec0
refcnt=1
# setkey -D
[4500] [2179]
esp-udp mode=tunnel spi=2110722774(0x7dcf12d6) reqid=1(0x00000001)
E: aes-cbc d477e360 96a42912 374872ac 118bf3b7
A: hmac-sha2-256 982be6e5 0fb787e1 534b06a2 0316c79d 8d36780a
68e44803 835cf57a b210151a
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Feb 4 15:13:15 2026 current: Feb 4 15:13:26 2026
diff: 11(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=78460 refcnt=1
[2179] [4500]
esp-udp mode=tunnel spi=3302333642(0xc4d59cca) reqid=1(0x00000001)
E: aes-cbc f4bcdd87 9df6c238 27e46a23 ad8c3c65
A: hmac-sha2-256 8415e870 1da5143a fdf6578a bfec9da5 2b034c10
8fc43f04 a27661f4 92731653
seq=0x00000023 replay=4 flags=0x00000000 state=mature
created: Feb 4 15:13:15 2026 current: Feb 4 15:13:26 2026
diff: 11(s) hard: 0(s) soft: 0(s)
last: Feb 4 15:13:15 2026 hard: 0(s) soft: 0(s)
current: 9444(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 35 hard: 0 soft: 0
sadb_seq=0 pid=78460 refcnt=1
и пинги не идут на 10.10.10.2
Где-то я встречал про двойную инкапсуляцию писали что-то. Это не
какая-то багофича моей версии ОС?
FreeBSD server.5034.ru 13.2-RELEASE-p9 FreeBSD 13.2-RELEASE-p9
releng/13.2-c78c31d2e SERVER amd64
если без опции tunnel
# setkey -D
[4500] [2234]
esp-udp mode=tunnel spi=634435229(0x25d0b69d) reqid=1(0x00000001)
E: aes-cbc 179659a9 7fcbe14f 98cd2176 cca6b455
A: hmac-sha2-256 eef7520e aa527d40 287e73a9 5fc3e980 bea5285c
95f90992 4b40dbd8 67d0b2a3
seq=0x0000003a replay=0 flags=0x00000000 state=mature
created: Feb 4 15:22:23 2026 current: Feb 4 15:22:27 2026
diff: 4(s) hard: 0(s) soft: 0(s)
last: Feb 4 15:22:23 2026 hard: 0(s) soft: 0(s)
current: 29800(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 58 hard: 0 soft: 0
sadb_seq=1 pid=83828 refcnt=1
[2234] [4500]
esp-udp mode=tunnel spi=3449724873(0xcd9e9fc9) reqid=1(0x00000001)
E: aes-cbc ba750ccd 221efd45 ae3200ce 26891904
A: hmac-sha2-256 92a7b3cb a2a5bb75 9a23591f 90c46044 a05e54f2
7982f038 4f89aec8 dbc265c9
seq=0x00000045 replay=4 flags=0x00000000 state=mature
created: Feb 4 15:22:23 2026 current: Feb 4 15:22:27 2026
diff: 4(s) hard: 0(s) soft: 0(s)
last: Feb 4 15:22:23 2026 hard: 0(s) soft: 0(s)
current: 9257(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 69 hard: 0 soft: 0
sadb_seq=0 pid=83828 refcnt=1
# setkey -DP
10.10.10.2[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/-/unique:1
created: Feb 4 15:22:23 2026 lastused: Feb 4 15:22:24 2026
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=62 seq=1 pid=83836 scope=global
refcnt=1
0.0.0.0/0[any] 10.10.10.2[any] any
out ipsec
esp/tunnel/-/unique:1
created: Feb 4 15:22:23 2026 lastused: Feb 4 15:22:24 2026
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=63 seq=0 pid=83836 scope=global
refcnt=1
и траф ходит
С наилучшими пожеланиями, Sergey Anohin.
--- wfido
* Origin: https://5034.ru/wfido (2:5034/10.1)
SEEN-BY: 50/109 606 104/117 221/6 301/1 341/66
450/1024 460/58 463/68 469/122
SEEN-BY: 5000/111 5010/275 352 5015/42 46 5019/40
400 5020/113 290 545 570
SEEN-BY: 5020/715 830 837 848 921 1042 1146 2992
4441 9696 12000 5022/2 128
SEEN-BY: 5023/24 5026/49 5028/68 5030/49 115 500
1081 1474 1900 5034/10 13
SEEN-BY: 5053/51 400 5054/89 5055/73 5057/19
5058/104 5061/15 133 5075/128
SEEN-BY: 5083/1 444 6035/3 6056/1 6078/80 6090/1
@PATH: 5034/10 13 5020/715 1042 4441