Date: Tue, 8 May 2018 13:03:45 +0200 From: peter.blok@bsd4all.org To: Victor Gamov <vit@otcnet.ru> Cc: freebsd-net@freebsd.org Subject: Re: multiple if_ipsec Message-ID: <C6EF4FCA-CBA0-4068-A582-E3C99D209D0C@bsd4all.org> In-Reply-To: <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> References: <b859ed18-e511-3640-4662-4242a53d999c@otcnet.ru> <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <c2cb415b-bcde-c714-9412-103e674ce673@yandex.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Victor,
I’m struggling wit the same issue. My sainfo doesn’t match unless I use anonymous.
Hi Andrey,
What I don’t understand is why a “catchall” policy is added instead of the policy that matches the inner tunnel.
What is supposed to happen here? Is the IKE daemon supposed to update the policy once started.
Peter
> On 25 Apr 2018, at 13:48, Victor Gamov <vit@otcnet.ru> wrote:
>
> On 23/04/2018 15:43, Andrey V. Elsukov wrote:
>> Your security associations doesn't match your security policies.
>> Probably you did interfaces reconfiguration without clearing old SAs.
>> I think your configuration will work, if you first will done if_ipsec(4)
>> configuration, then start racoon and it will generate SAs.
>> To clear all old/stale configured SAs you can first stop racoon, then
>> run `setkey -DF` and `setkey -DPF`.
>
> Hi Andrey
>
> Thanks for your advise: I found typo in my rc.conf and now ipsec interfaces created with properly reqid.
>
> After all ipsec-interfaces created I have many SPD entries configured like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured ifname=ipsec[25|26|30]
>
>
> But now I'm sure I have racoon misconfiguration: If I use one "sainfo anonymous" then all created SA binds to last configured ipsec-interface. So I need sainfo-entry for every remote-entry.
>
>
> But I still cann't understand how to bind SPD automatically created by
> 'ifconfig ipsec30 reqid 30 ...' to SA configured like
> =====
> remote __Cisco_IP_30__ {
> my_identifier address __FreeBSD_IP__;
> peers_identifier address __Cisco_IP_30__;
> ph1id 30;
> }
> sainfo ??? {
> remoteid 30;
> }
> =====
>
>
> If I configure
> sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
> remoteid 30;
> .....
> }
>
> then I've got following error
> =====
> racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0' peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30
> racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__', rmt='__Cisco_IP_30__', peer='ANY', id=30
> racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
> racoon: DEBUG: cmpid target: '0.0.0.0/0'
> racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
> racoon: DEBUG: IV freed
> =====
>
>
> Can you please explain me how sainfo (or something else) must be properly configured?
>
> Thanks!
>
> --
> CU,
> Victor Gamov
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6EF4FCA-CBA0-4068-A582-E3C99D209D0C>