Date: Tue, 4 Apr 2017 14:18:26 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Mike Tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... Message-ID: <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru> In-Reply-To: <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net> References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru> <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK Content-Type: multipart/mixed; boundary="M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Mike Tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, svn-src-stable-11@freebsd.org Message-ID: <2aa232b9-df57-3512-ae98-1d4b03bb00d4@yandex.ru> Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru> <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net> In-Reply-To: <a3ee1736-ca0b-76dc-0561-6bd27dd79071@sentex.net> --M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 04.04.2017 13:55, Mike Tancsa wrote: >> You have many SAs with the same destination address, it seems to me, >> that this should not work with old IPsec code, because it uses SA >> lookups using only destination address. So, if you have not the same >> password for each SA, it should not work. >> >> Can you try the attached patch? >> >=20 > It did. In the past, inbound sigs I think just didnt work, but it was > uninteresting for the purpose of this app. In this case, it was for bg= p Yes, I checked stable/10 code, it seems TCP-MD5 always used one SA for both inbound and outbound direction. > passwords. I was more concerned with sending the correct password to > the peer. So it was one source IP with many destination addresses (ove= r > a dozen). For the old config I just had the policy in one direction as > well. It seems now with the new ipsec code, I must have the policy in > both directions ? Yes, you need SA for both directions. > The man page for setkey implies I only need one entry. >=20 > Also, should the SPI always been the same, or unique ? SPI is not used by this code, it only needed for compatibility with SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work anyway. :) --=20 WBR, Andrey V. Elsukov --M9vdqHIaHgHiwa5qCmhDX7swbdwaeveO2-- --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljjgQIACgkQAcXqBBDI oXrMxAgAjPj2mz5kcuAE6Qa6142GMFpSI9urJsYoCdo4SqkY8L2IbjfEujpMIEji BN49gGfcyg2trvLj2Zod7dSLedf9fwZns+Pi+w7AqToHOKHpVcWRQn7J3eFkgUvd 7k8psH3HDudb4Wn2upQ5HMo/uc+/qtXf8HgXshW1Bc/ZPFz6t6AySNoafy7gQi5m dFaJT0KnMy9djEdS/h+EOiFTGIByPUgKNLq2EWlnswZbpmSg/nY6CxlQq8L/MZ/d U6NjieQSCbRL+xHGUWqAj8DW+3L1aIOeoKzQaU6eJcSuD8WCuvLDtlXXAsciepnb yojUuO51UNXOeg3lSjWUQjj7u6JjpQ== =lv1Y -----END PGP SIGNATURE----- --8AJ2JvJOBeuCxmImkMpEvWeTtATtD9WgK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2aa232b9-df57-3512-ae98-1d4b03bb00d4>