From owner-svn-src-stable-11@freebsd.org Tue Apr 4 11:19:27 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 440C2D2DF31; Tue, 4 Apr 2017 11:19:27 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5j.cmail.yandex.net (forward5j.cmail.yandex.net [IPv6:2a02:6b8:0:1630::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BF3288BD; Tue, 4 Apr 2017 11:19:26 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp3h.mail.yandex.net (smtp3h.mail.yandex.net [IPv6:2a02:6b8:0:f05::117]) by forward5j.cmail.yandex.net (Yandex) with ESMTP id 8D0C020FEC; Tue, 4 Apr 2017 14:19:12 +0300 (MSK) Received: from smtp3h.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp3h.mail.yandex.net (Yandex) with ESMTP id 219BF440E26; Tue, 4 Apr 2017 14:19:09 +0300 (MSK) Received: by smtp3h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id E8zq86UFvG-J8t0cs24; Tue, 04 Apr 2017 14:19:08 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1491304748; bh=Wc4khLymdUT5mKHwAxtQ35LJuG89m+kKO9/Ug1KNNig=; h=From:Subject:To:References:Message-ID:Date:In-Reply-To; b=ZZgVHrvjfqHKDxB2uZZeSR4vkPmaOM6GoqXykqjKd9zEJYXsZi+Nku93ntbXPlnMj hoIuUcsw5myowUrFANnMv5n8mIyQX5HAYcGrF2LjdH1v/QBVKBQEge9oAPmfz9AM5z FiPveba5MaY6ycNYdKgu8bW2wsBxWTIB7vLVa/oQ= Authentication-Results: smtp3h.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0,1 0 From: "Andrey V. Elsukov" Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... To: Mike Tancsa , FreeBSD-STABLE Mailing List , svn-src-stable-11@freebsd.org References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru> Date: Tue, 4 Apr 2017 14:18:26 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK" X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 11:19:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK Content-Type: multipart/mixed; boundary="M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2"; protected-headers="v1" From: "Andrey V. Elsukov" To: Mike Tancsa , FreeBSD-STABLE Mailing List , svn-src-stable-11@freebsd.org Message-ID: <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru> Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> In-Reply-To: --M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 04.04.2017 13:55, Mike Tancsa wrote: >> You have many SAs with the same destination address, it seems to me, >> that this should not work with old IPsec code, because it uses SA >> lookups using only destination address. So, if you have not the same >> password for each SA, it should not work. >> >> Can you try the attached patch? >> >=20 > It did. In the past, inbound sigs I think just didnt work, but it was > uninteresting for the purpose of this app. In this case, it was for bg= p Yes, I checked stable/10 code, it seems TCP-MD5 always used one SA for both inbound and outbound direction. > passwords. I was more concerned with sending the correct password to > the peer. So it was one source IP with many destination addresses (ove= r > a dozen). For the old config I just had the policy in one direction as > well. It seems now with the new ipsec code, I must have the policy in > both directions ? Yes, you need SA for both directions. > The man page for setkey implies I only need one entry. >=20 > Also, should the SPI always been the same, or unique ? SPI is not used by this code, it only needed for compatibility with SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work anyway. :) --=20 WBR, Andrey V. Elsukov --M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2-- --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljjgQIACgkQAcXqBBDI oXrMxAgAjPj2mz5kcuAE6Qa6142GMFpSI9urJsYoCdo4SqkY8L2IbjfEujpMIEji BN49gGfcyg2trvLj2Zod7dSLedf9fwZns+Pi+w7AqToHOKHpVcWRQn7J3eFkgUvd 7k8psH3HDudb4Wn2upQ5HMo/uc+/qtXf8HgXshW1Bc/ZPFz6t6AySNoafy7gQi5m dFaJT0KnMy9djEdS/h+EOiFTGIByPUgKNLq2EWlnswZbpmSg/nY6CxlQq8L/MZ/d U6NjieQSCbRL+xHGUWqAj8DW+3L1aIOeoKzQaU6eJcSuD8WCuvLDtlXXAsciepnb yojUuO51UNXOeg3lSjWUQjj7u6JjpQ== =lv1Y -----END PGP SIGNATURE----- --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK--