svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...

[Andrey V. Elsukov]

On 04.04.2017 13:55, Mike Tancsa wrote:
>> You have many SAs with the same destination address, it seems to me,
>> that this should not work with old IPsec code, because it uses SA
>> lookups using only destination address. So, if you have not the same
>> password for each SA, it should not work.
>>
>> Can you try the attached patch?
>>
> 
> It did. In the past, inbound sigs I think just didnt work, but it was
> uninteresting for the purpose of this app.  In this case, it was for bgp

Yes, I checked stable/10 code, it seems TCP-MD5 always used one SA for
both inbound and outbound direction.

> passwords.  I was more concerned with sending the correct password to
> the peer.  So it was one source IP with many destination addresses (over
> a dozen). For the old config I just had the policy in one direction as
> well.  It seems now with the new ipsec code, I must have the policy in
> both directions ?

Yes, you need SA for both directions.

> The man page for setkey implies I only need one entry.
> 
> Also, should the SPI always been the same, or unique ?

SPI is not used by this code, it only needed for compatibility with
SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work
anyway. :)

-- 
WBR, Andrey V. Elsukov


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20170404/68d02dab/attachment.sig>