Date: Tue, 4 Apr 2017 06:55:36 -0400 From: Mike Tancsa <mike@sentex.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... Message-ID: <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net> In-Reply-To: <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru> References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/4/2017 2:24 AM, Andrey V. Elsukov wrote: > On 04.04.2017 00:39, Mike Tancsa wrote: > It seems you have encrypted your config, because I don't see IP with 128 > octets :) :) > > One question, does this even worked before? > You have many SAs with the same destination address, it seems to me, > that this should not work with old IPsec code, because it uses SA > lookups using only destination address. So, if you have not the same > password for each SA, it should not work. > > Can you try the attached patch? > It did. In the past, inbound sigs I think just didnt work, but it was uninteresting for the purpose of this app. In this case, it was for bgp passwords. I was more concerned with sending the correct password to the peer. So it was one source IP with many destination addresses (over a dozen). For the old config I just had the policy in one direction as well. It seems now with the new ipsec code, I must have the policy in both directions ? The man page for setkey implies I only need one entry. Also, should the SPI always been the same, or unique ? compiling the patch now. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a3ee1736-ca0b-76dc-0561-6bd27dd79071>