Date: Wed, 25 Apr 2018 14:48:07 +0300 From: Victor Gamov <vit@otcnet.ru> To: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> In-Reply-To: <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23/04/2018 15:43, Andrey V. Elsukov wrote:
>
> Your security associations doesn't match your security policies.
> Probably you did interfaces reconfiguration without clearing old SAs.
>
> I think your configuration will work, if you first will done if_ipsec(4)
> configuration, then start racoon and it will generate SAs.
>
> To clear all old/stale configured SAs you can first stop racoon, then
> run `setkey -DF` and `setkey -DPF`.
Hi Andrey
Thanks for your advise: I found typo in my rc.conf and now ipsec
interfaces created with properly reqid.
After all ipsec-interfaces created I have many SPD entries configured
like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured
ifname=ipsec[25|26|30]
But now I'm sure I have racoon misconfiguration: If I use one "sainfo
anonymous" then all created SA binds to last configured ipsec-interface.
So I need sainfo-entry for every remote-entry.
But I still cann't understand how to bind SPD automatically created by
'ifconfig ipsec30 reqid 30 ...' to SA configured like
=====
remote __Cisco_IP_30__ {
my_identifier address __FreeBSD_IP__;
peers_identifier address __Cisco_IP_30__;
ph1id 30;
}
sainfo ??? {
remoteid 30;
}
=====
If I configure
sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
remoteid 30;
.....
}
then I've got following error
=====
racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0'
peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30
racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__',
rmt='__Cisco_IP_30__', peer='ANY', id=30
racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
racoon: DEBUG: cmpid target: '0.0.0.0/0'
racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
racoon: DEBUG: IV freed
=====
Can you please explain me how sainfo (or something else) must be
properly configured?
Thanks!
--
CU,
Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9f94133e-bc7f-7979-72de-e6907f68a254>