svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...

[Andrey V. Elsukov]

On 04.04.2017 00:39, Mike Tancsa wrote:
> Hi,
> 	I ran into a strange problem when migrating a box that makes use of tcp
> md5 signatures. Having these two policies that have IPs which happen to
> be 128 octets apart get rejected

It seems you have encrypted your config, because I don't see IP with 128
octets :)

One question, does this even worked before?
You have many SAs with the same destination address, it seems to me,
that this should not work with old IPsec code, because it uses SA
lookups using only destination address. So, if you have not the same
password for each SA, it should not work.

Can you try the attached patch?

-- 
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key.diff
Type: text/x-patch
Size: 970 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/8294bd22/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/8294bd22/attachment.sig>