Andrey V. Elsukov
2017-Apr-04 06:24 UTC
svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
On 04.04.2017 00:39, Mike Tancsa wrote:> Hi, > I ran into a strange problem when migrating a box that makes use of tcp > md5 signatures. Having these two policies that have IPs which happen to > be 128 octets apart get rejectedIt seems you have encrypted your config, because I don't see IP with 128 octets :) One question, does this even worked before? You have many SAs with the same destination address, it seems to me, that this should not work with old IPsec code, because it uses SA lookups using only destination address. So, if you have not the same password for each SA, it should not work. Can you try the attached patch? -- WBR, Andrey V. Elsukov -------------- next part -------------- A non-text attachment was scrubbed... Name: key.diff Type: text/x-patch Size: 970 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/8294bd22/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/8294bd22/attachment.sig>
Mike Tancsa
2017-Apr-04 10:55 UTC
svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
On 4/4/2017 2:24 AM, Andrey V. Elsukov wrote:> On 04.04.2017 00:39, Mike Tancsa wrote: > It seems you have encrypted your config, because I don't see IP with 128 > octets :):)> > One question, does this even worked before?> You have many SAs with the same destination address, it seems to me, > that this should not work with old IPsec code, because it uses SA > lookups using only destination address. So, if you have not the same > password for each SA, it should not work. > > Can you try the attached patch? >It did. In the past, inbound sigs I think just didnt work, but it was uninteresting for the purpose of this app. In this case, it was for bgp passwords. I was more concerned with sending the correct password to the peer. So it was one source IP with many destination addresses (over a dozen). For the old config I just had the policy in one direction as well. It seems now with the new ipsec code, I must have the policy in both directions ? The man page for setkey implies I only need one entry. Also, should the SPI always been the same, or unique ? compiling the patch now. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/