multiple if_ipsec

Andrey V. Elsukov bu7cher at yandex.ru
Mon Apr 23 12:45:13 UTC 2018 

On 23.04.2018 15:10, Victor Gamov wrote:
> # setkey -D
> =====
> __FreeBSD_IP__ __Cisco_30__
>     esp mode=tunnel spi=2124688285(0x7ea42b9d) reqid=26(0x0000001a)
                                  This must be 30 ^^^^^^^

> __FreeBSD_IP__ __Cisco_25__
>     esp mode=tunnel spi=153891647(0x092c333f) reqid=26(0x0000001a)
>     E: rijndael-cbc  8f9905fe 6a9cfc76 a0da354b 53a7f901 298dca43

> __Cisco_25__ __FreeBSD_IP__
>     esp mode=tunnel spi=21918183(0x014e71e7) reqid=26(0x0000001a)
>     E: rijndael-cbc  43e8f54a 0bdda6b5 41a637d5 4469973d 5b3dc8d0

> __FreeBSD_IP__ __Cisco_26__
>     esp mode=tunnel spi=2471238029(0x934c198d) reqid=26(0x0000001a)
                                   This must be 16385 ^^^^^

> __Cisco_26__ __FreeBSD_IP__
>     esp mode=tunnel spi=103689330(0x062e2c72) reqid=26(0x0000001a)
                                   This must be 16385 ^^^^^

> __Cisco_30__ __FreeBSD_IP__
>     esp mode=tunnel spi=42561509(0x02896fe5) reqid=26(0x0000001a)
                                   This must be 30 ^^^^^^^

> ipsec30: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
>     description: -so: Kur
>     tunnel inet __FreeBSD_IP__ --> __Cisco_30__
>     inet 10.10.98.1 --> 10.10.98.2  netmask 0xfffffffc
>     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>     reqid: 30
>     groups: ipsec
> ipsec26: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
>     description: -so: Mur
>     tunnel inet __FreeBSD_IP__ --> __Cisco_26__
>     inet 10.10.98.9 --> 10.10.98.10  netmask 0xfffffffc
>     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>     reqid: 16385
>     groups: ipsec
> ipsec25: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
>     description: -so: Sofy
>     tunnel inet __FreeBSD_IP__ --> __Cisco_25__
>     inet 10.10.98.5 --> 10.10.98.6  netmask 0xfffffffc
>     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>     reqid: 26
>     groups: ipsec

Your security associations doesn't match your security policies.
Probably you did interfaces reconfiguration without clearing old SAs.

I think your configuration will work, if you first will done if_ipsec(4)
configuration, then start racoon and it will generate SAs.

To clear all old/stale configured SAs you can first stop racoon, then
run `setkey -DF` and `setkey -DPF`.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180423/b6c81bcc/attachment.sig>

More information about the freebsd-net mailing list