From owner-freebsd-net@freebsd.org Tue May 8 11:21:37 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB885FB23AA for ; Tue, 8 May 2018 11:21:36 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtpq2.mnd.mail.iss.as9143.net (smtpq2.mnd.mail.iss.as9143.net [212.54.34.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B63871FE0 for ; Tue, 8 May 2018 11:21:36 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from [212.54.34.118] (helo=smtp10.mnd.mail.iss.as9143.net) by smtpq2.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fG0PP-0004be-02; Tue, 08 May 2018 13:03:51 +0200 Received: from 5ed231fb.cm-7-3a.dynamic.ziggo.nl ([94.210.49.251] helo=wan0.bsd4all.org) by smtp10.mnd.mail.iss.as9143.net with esmtp (Exim 4.86_2) (envelope-from ) id 1fG0PO-00069M-UV; Tue, 08 May 2018 13:03:50 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id AD6E95BC1; Tue, 8 May 2018 13:03:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SlB4KIHV68PQ; Tue, 8 May 2018 13:03:46 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id 728545BBE; Tue, 8 May 2018 13:03:46 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: Re: multiple if_ipsec From: peter.blok@bsd4all.org In-Reply-To: <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> Date: Tue, 8 May 2018 13:03:45 +0200 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <5e36ac3f-39ce-72c5-cd97-dd3c4cf551a7@yandex.ru> <30d1c5f9-56e7-c67b-43e1-e6f0457360a8@otcnet.ru> <77c37ff9-8de3-dec0-176a-2b34db136bc5@otcnet.ru> <92930ba6-828d-ecb5-ce37-36794ec80ef7@yandex.ru> <112ea6c0-1927-5f47-24c7-6888295496cf@otcnet.ru> <8d27fbd2-001d-dc46-3621-c44d8dad5522@yandex.ru> <9f94133e-bc7f-7979-72de-e6907f68a254@otcnet.ru> To: Victor Gamov X-Mailer: Apple Mail (2.3445.6.18) X-SourceIP: 94.210.49.251 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=I8BLuuog c=1 sm=1 tr=0 a=7fK1ynn72W3Z/oi6DA4Tww==:17 a=IkcTkHD0fZMA:10 a=VUJBJC2UJ8kA:10 a=tUZUbnedAAAA:8 a=6I5d2MoRAAAA:8 a=PGGaoizCzbszLpZhNL0A:9 a=dxD9qBpHsumg9pZz:21 a=JmpEu8YP6Je5BZJe:21 a=QEXdDO2ut3YA:10 a=_yioJEL_mgmzVlUc0Qzf:22 a=IjZwj45LgO3ly-622nXo:22 none X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2018 11:21:37 -0000 Hi Victor, I=E2=80=99m struggling wit the same issue. My sainfo doesn=E2=80=99t = match unless I use anonymous. Hi Andrey, What I don=E2=80=99t understand is why a =E2=80=9Ccatchall=E2=80=9D = policy is added instead of the policy that matches the inner tunnel. What is supposed to happen here? Is the IKE daemon supposed to update = the policy once started. Peter > On 25 Apr 2018, at 13:48, Victor Gamov wrote: >=20 > On 23/04/2018 15:43, Andrey V. Elsukov wrote: >> Your security associations doesn't match your security policies. >> Probably you did interfaces reconfiguration without clearing old SAs. >> I think your configuration will work, if you first will done = if_ipsec(4) >> configuration, then start racoon and it will generate SAs. >> To clear all old/stale configured SAs you can first stop racoon, then >> run `setkey -DF` and `setkey -DPF`. >=20 > Hi Andrey >=20 > Thanks for your advise: I found typo in my rc.conf and now ipsec = interfaces created with properly reqid. >=20 > After all ipsec-interfaces created I have many SPD entries configured = like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured = ifname=3Dipsec[25|26|30] >=20 >=20 > But now I'm sure I have racoon misconfiguration: If I use one "sainfo = anonymous" then all created SA binds to last configured ipsec-interface. = So I need sainfo-entry for every remote-entry. >=20 >=20 > But I still cann't understand how to bind SPD automatically created by > 'ifconfig ipsec30 reqid 30 ...' to SA configured like > =3D=3D=3D=3D=3D > remote __Cisco_IP_30__ { > my_identifier address __FreeBSD_IP__; > peers_identifier address __Cisco_IP_30__; > ph1id 30; > } > sainfo ??? { > remoteid 30; > } > =3D=3D=3D=3D=3D >=20 >=20 > If I configure > sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any { > remoteid 30; > ..... > } >=20 > then I've got following error > =3D=3D=3D=3D=3D > racoon: DEBUG: getsainfo params: loc=3D'0.0.0.0/0' rmt=3D'0.0.0.0/0' = peer=3D'__Cisco_IP_30__' client=3D'__Cisco_IP_30__' id=3D30 > racoon: DEBUG: evaluating sainfo: loc=3D'__FreeBSD_IP__', = rmt=3D'__Cisco_IP_30__', peer=3D'ANY', id=3D30 > racoon: DEBUG: check and compare ids : value mismatch (IPv4_address) > racoon: DEBUG: cmpid target: '0.0.0.0/0' > racoon: DEBUG: cmpid source: '__FreeBSD_IP__' > racoon: DEBUG: IV freed > =3D=3D=3D=3D=3D >=20 >=20 > Can you please explain me how sainfo (or something else) must be = properly configured? >=20 > Thanks! >=20 > -- > CU, > Victor Gamov > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"