Date: Tue, 4 Apr 2017 15:55:16 -0400 From: Mike Tancsa <mike@sentex.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... Message-ID: <e722e690-a1c0-8718-84cc-d1913d3076ea@sentex.net> In-Reply-To: <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru> References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru> <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net> <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/4/2017 7:18 AM, Andrey V. Elsukov wrote: > On 04.04.2017 13:55, Mike Tancsa wrote: > > Yes, you need SA for both directions. > >> The man page for setkey implies I only need one entry. >> >> Also, should the SPI always been the same, or unique ? > > SPI is not used by this code, it only needed for compatibility with > SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work > anyway. :) > Perhaps to the man pages, this small change ? --- sbin/setkey/setkey.8.prev 2017-04-04 15:11:03.312911000 -0400 +++ sbin/setkey/setkey.8 2017-04-04 15:53:31.296152000 -0400 @@ -696,6 +696,7 @@ Use TCP MD5 between two numerically specified hosts: .Bd -literal -offset indent add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; +add 10.1.10.36 10.1.10.34 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; .Ed .\" .Sh SEE ALSO ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e722e690-a1c0-8718-84cc-d1913d3076ea>