Mike Tancsa
2017-Apr-04 10:55 UTC
svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
On 4/4/2017 2:24 AM, Andrey V. Elsukov wrote:> On 04.04.2017 00:39, Mike Tancsa wrote: > It seems you have encrypted your config, because I don't see IP with 128 > octets :):)> > One question, does this even worked before?> You have many SAs with the same destination address, it seems to me, > that this should not work with old IPsec code, because it uses SA > lookups using only destination address. So, if you have not the same > password for each SA, it should not work. > > Can you try the attached patch? >It did. In the past, inbound sigs I think just didnt work, but it was uninteresting for the purpose of this app. In this case, it was for bgp passwords. I was more concerned with sending the correct password to the peer. So it was one source IP with many destination addresses (over a dozen). For the old config I just had the policy in one direction as well. It seems now with the new ipsec code, I must have the policy in both directions ? The man page for setkey implies I only need one entry. Also, should the SPI always been the same, or unique ? compiling the patch now. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Andrey V. Elsukov
2017-Apr-04 11:18 UTC
svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
On 04.04.2017 13:55, Mike Tancsa wrote:>> You have many SAs with the same destination address, it seems to me, >> that this should not work with old IPsec code, because it uses SA >> lookups using only destination address. So, if you have not the same >> password for each SA, it should not work. >> >> Can you try the attached patch? >> > > It did. In the past, inbound sigs I think just didnt work, but it was > uninteresting for the purpose of this app. In this case, it was for bgpYes, I checked stable/10 code, it seems TCP-MD5 always used one SA for both inbound and outbound direction.> passwords. I was more concerned with sending the correct password to > the peer. So it was one source IP with many destination addresses (over > a dozen). For the old config I just had the policy in one direction as > well. It seems now with the new ipsec code, I must have the policy in > both directions ?Yes, you need SA for both directions.> The man page for setkey implies I only need one entry. > > Also, should the SPI always been the same, or unique ?SPI is not used by this code, it only needed for compatibility with SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work anyway. :) -- WBR, Andrey V. Elsukov -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/68d02dab/attachment.sig>