svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
Mike Tancsa
mike at sentex.net
Tue Apr 4 10:55:57 UTC 2017
On 4/4/2017 2:24 AM, Andrey V. Elsukov wrote:
> On 04.04.2017 00:39, Mike Tancsa wrote:
> It seems you have encrypted your config, because I don't see IP with 128
> octets :)
:)
>
> One question, does this even worked before?
> You have many SAs with the same destination address, it seems to me,
> that this should not work with old IPsec code, because it uses SA
> lookups using only destination address. So, if you have not the same
> password for each SA, it should not work.
>
> Can you try the attached patch?
>
It did. In the past, inbound sigs I think just didnt work, but it was
uninteresting for the purpose of this app. In this case, it was for bgp
passwords. I was more concerned with sending the correct password to
the peer. So it was one source IP with many destination addresses (over
a dozen). For the old config I just had the policy in one direction as
well. It seems now with the new ipsec code, I must have the policy in
both directions ?
The man page for setkey implies I only need one entry.
Also, should the SPI always been the same, or unique ?
compiling the patch now.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the svn-src-stable-11
mailing list