Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

[Egerváry Gergely <gergely%egervary.hu@localhost>]

The following reply was made to PR bin/47894; it has been noted by GNATS.

From: =?UTF-8?B?RWdlcnbDoXJ5IEdlcmdlbHk=?= <gergely%egervary.hu@localhost>
To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, 
 netbsd-bugs%netbsd.org@localhost
Cc: hsuenaga%netbsd.org@localhost
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Mon, 16 Jun 2014 15:25:13 +0200

 >  Let me see your ipsec statistics.
 >    # netstat -s -p ipsec
 
 On the server:
 
 --->8 ---- cut here ---- 8< ---
 (Fast) IPsec:
         0 no SA found (output)
         0 no memory available (output)
         0 no route available (output)
         0 generic errors (output)
         0 bundled SA processed (output)
         469 SPD cache lookups
         469 SPD cache misses
 
 IPsec ah:
         0 ah input packets processed
         0 ah output packets processed
         0 ah headers too short
         0 ah headers for unsupported address family
         0 ah packets with no SA
         0 ah packets dropped by crypto returning NULL mbuf
         0 ah packets with bad authentication
         0 ah packets with no xform
         0 ah packets dropped due to queue full
         0 ah packets dropped for replay counter wrap
         0 ah packets dropped for possible replay
         0 ah packets dropped for bad authenticator length
         0 ah packets with an invalid SA
         0 ah packets too big
         0 ah packets blocked due to policy
         0 ah failed crypto requests
         0 ah tunnel sanity check failures
         ah histogram:
                 ah packets with hmac-sha1: 8
         0 ah bytes received
         0 ah bytes transmitted
 
 IPsec esp:
         4 esp input packets processed
         4 esp output packets processed
         0 esp headers too short
         0 esp headers for unsupported address family
         0 esp packets with no SA
         0 esp packets dropped by crypto returning NULL mbuf
         0 esp packets dropped due to queue full
         0 esp packets with no xform
         0 esp packets with bad ilen
         0 esp packets with bad encryption
         0 esp packets with bad authentication
         0 esp packets dropped for replay counter wrap
         0 esp packets dropped for possible replay
         0 esp packets with an invalid SA
         0 esp packets too big
         0 esp packets blocked due to policy
         0 esp failed crypto requests
 --->8 ---- cut here ---- 8< ---
 
 on the client:
 
 --->8 ---- cut here ---- 8< ---
 (Fast) IPsec:
         1 no SA found (output)
         0 no memory available (output)
         0 no route available (output)
         0 generic errors (output)
         0 bundled SA processed (output)
         294 SPD cache lookups
         281 SPD cache misses
 
 IPsec ah:
         0 ah input packets processed
         0 ah output packets processed
         0 ah headers too short
         0 ah headers for unsupported address family
         0 ah packets with no SA
         0 ah packets dropped by crypto returning NULL mbuf
         0 ah packets with bad authentication
         0 ah packets with no xform
         0 ah packets dropped due to queue full
         0 ah packets dropped for replay counter wrap
         0 ah packets dropped for possible replay
         0 ah packets dropped for bad authenticator length
         0 ah packets with an invalid SA
         0 ah packets too big
         0 ah packets blocked due to policy
         0 ah failed crypto requests
         0 ah tunnel sanity check failures
         ah histogram:
                 ah packets with hmac-sha1: 14
         0 ah bytes received
         0 ah bytes transmitted
 
 IPsec esp:
         7 esp input packets processed
         7 esp output packets processed
         0 esp headers too short
         0 esp headers for unsupported address family
         0 esp packets with no SA
         0 esp packets dropped by crypto returning NULL mbuf
         0 esp packets dropped due to queue full
         0 esp packets with no xform
         0 esp packets with bad ilen
         0 esp packets with bad encryption
         0 esp packets with bad authentication
         0 esp packets dropped for replay counter wrap
         0 esp packets dropped for possible replay
         0 esp packets with an invalid SA
         0 esp packets too big
         0 esp packets blocked due to policy
         0 esp failed crypto requests
         0 esp tunnel sanity check failures
         esp histogram:
                 esp packets with aes-cbc: 14
         224 esp bytes received
         308 esp bytes transmitted
 IPsec ipip:
         0 ipip total input packets
         0 ipip total output packets
         0 ipip packets too short for header length
         0 ipip packets dropped due to queue full
         0 ipip packets blocked due to policy
         0 ipip IP spoofing attempts
         0 ipip protocol family mismatched
         0 ipip missing tunnel-endpoint address
         0 ipip input bytes received
         0 ipip output bytes processed
 IPsec ipcomp:
         0 ipcomp packets too short for header length
         0 ipcomp protocol family not supported
         0 ipcomp packets with no SA
         0 ipcomp packets dropped by crypto returning NULL mbuf
         0 ipcomp queue full
         0 ipcomp no support for transform
         0 ipcomp packets dropped for replay counter wrap
         0 ipcomp input IPcomp packets
         0 ipcomp output IPcomp packets
         0 ipcomp packets with an invalid SA
         0 ipcomp packets decompressed as too big
         0 ipcomp packets too short to be compressed
         0 ipcomp packet for which compression was useless
         0 ipcomp packets blocked due to policy
         0 ipcomp failed crypto requests
         IPcomp histogram:
         0 ipcomp input bytes
         0 ipcomp output bytes
 --->8 ---- cut here ---- 8< ---
 
 -- 
 Egerváry Gergely
 <gergely%egervary.hu@localhost>