From owner-freebsd-net@freebsd.org Wed Apr 25 11:48:11 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48A1DFA2B83 for ; Wed, 25 Apr 2018 11:48:11 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id CFC9B6FEBE for ; Wed, 25 Apr 2018 11:48:10 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from Victors-MacBook-Air-2.local (unknown [213.33.226.214]) by mail.otcnet.ru (Postfix) with ESMTPSA id D31BD59664F for ; Wed, 25 Apr 2018 14:48:02 +0300 (MSK) Subject: Re: multiple if_ipsec To: freebsd-net@freebsd.org References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> From: Victor Gamov Organization: OTCnet Message-ID: <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> Date: Wed, 25 Apr 2018 14:48:07 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2018 11:48:11 -0000 On 23/04/2018 15:43, Andrey V. Elsukov wrote: > > Your security associations doesn't match your security policies. > Probably you did interfaces reconfiguration without clearing old SAs. > > I think your configuration will work, if you first will done if_ipsec(4) > configuration, then start racoon and it will generate SAs. > > To clear all old/stale configured SAs you can first stop racoon, then > run `setkey -DF` and `setkey -DPF`. Hi Andrey Thanks for your advise: I found typo in my rc.conf and now ipsec interfaces created with properly reqid. After all ipsec-interfaces created I have many SPD entries configured like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured ifname=ipsec[25|26|30] But now I'm sure I have racoon misconfiguration: If I use one "sainfo anonymous" then all created SA binds to last configured ipsec-interface. So I need sainfo-entry for every remote-entry. But I still cann't understand how to bind SPD automatically created by 'ifconfig ipsec30 reqid 30 ...' to SA configured like ===== remote __Cisco_IP_30__ { my_identifier address __FreeBSD_IP__; peers_identifier address __Cisco_IP_30__; ph1id 30; } sainfo ??? { remoteid 30; } ===== If I configure sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any { remoteid 30; ..... } then I've got following error ===== racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0' peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30 racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__', rmt='__Cisco_IP_30__', peer='ANY', id=30 racoon: DEBUG: check and compare ids : value mismatch (IPv4_address) racoon: DEBUG: cmpid target: '0.0.0.0/0' racoon: DEBUG: cmpid source: '__FreeBSD_IP__' racoon: DEBUG: IV freed ===== Can you please explain me how sainfo (or something else) must be properly configured? Thanks! -- CU, Victor Gamov