Date: Tue, 8 May 2018 13:03:45 +0200 From: peter.blok@bsd4all.org To: Victor Gamov <vit@otcnet.ru> Cc: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <C6EF4FCA-CBA0-4068-A582-E3C99D209D0C@bsd4all.org> In-Reply-To: <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Victor,
I=E2=80=99m struggling wit the same issue. My sainfo doesn=E2=80=99t =
match unless I use anonymous.
Hi Andrey,
What I don=E2=80=99t understand is why a =E2=80=9Ccatchall=E2=80=9D =
policy is added instead of the policy that matches the inner tunnel.
What is supposed to happen here? Is the IKE daemon supposed to update =
the policy once started.
Peter
> On 25 Apr 2018, at 13:48, Victor Gamov <vit@otcnet.ru> wrote:
>=20
> On 23/04/2018 15:43, Andrey V. Elsukov wrote:
>> Your security associations doesn't match your security policies.
>> Probably you did interfaces reconfiguration without clearing old SAs.
>> I think your configuration will work, if you first will done =
if_ipsec(4)
>> configuration, then start racoon and it will generate SAs.
>> To clear all old/stale configured SAs you can first stop racoon, then
>> run `setkey -DF` and `setkey -DPF`.
>=20
> Hi Andrey
>=20
> Thanks for your advise: I found typo in my rc.conf and now ipsec =
interfaces created with properly reqid.
>=20
> After all ipsec-interfaces created I have many SPD entries configured =
like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured =
ifname=3Dipsec[25|26|30]
>=20
>=20
> But now I'm sure I have racoon misconfiguration: If I use one "sainfo =
anonymous" then all created SA binds to last configured ipsec-interface. =
So I need sainfo-entry for every remote-entry.
>=20
>=20
> But I still cann't understand how to bind SPD automatically created by
> 'ifconfig ipsec30 reqid 30 ...' to SA configured like
> =3D=3D=3D=3D=3D
> remote __Cisco_IP_30__ {
> my_identifier address __FreeBSD_IP__;
> peers_identifier address __Cisco_IP_30__;
> ph1id 30;
> }
> sainfo ??? {
> remoteid 30;
> }
> =3D=3D=3D=3D=3D
>=20
>=20
> If I configure
> sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
> remoteid 30;
> .....
> }
>=20
> then I've got following error
> =3D=3D=3D=3D=3D
> racoon: DEBUG: getsainfo params: loc=3D'0.0.0.0/0' rmt=3D'0.0.0.0/0' =
peer=3D'__Cisco_IP_30__' client=3D'__Cisco_IP_30__' id=3D30
> racoon: DEBUG: evaluating sainfo: loc=3D'__FreeBSD_IP__', =
rmt=3D'__Cisco_IP_30__', peer=3D'ANY', id=3D30
> racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
> racoon: DEBUG: cmpid target: '0.0.0.0/0'
> racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
> racoon: DEBUG: IV freed
> =3D=3D=3D=3D=3D
>=20
>=20
> Can you please explain me how sainfo (or something else) must be =
properly configured?
>=20
> Thanks!
>=20
> --
> CU,
> Victor Gamov
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6EF4FCA-CBA0-4068-A582-E3C99D209D0C>