svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
Mike Tancsa
mike at sentex.net
Tue Apr 4 19:55:37 UTC 2017
On 4/4/2017 7:18 AM, Andrey V. Elsukov wrote:
> On 04.04.2017 13:55, Mike Tancsa wrote:
>
> Yes, you need SA for both directions.
>
>> The man page for setkey implies I only need one entry.
>>
>> Also, should the SPI always been the same, or unique ?
>
> SPI is not used by this code, it only needed for compatibility with
> SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work
> anyway. :)
>
Perhaps to the man pages, this small change ?
--- sbin/setkey/setkey.8.prev 2017-04-04 15:11:03.312911000 -0400
+++ sbin/setkey/setkey.8 2017-04-04 15:53:31.296152000 -0400
@@ -696,6 +696,7 @@
Use TCP MD5 between two numerically specified hosts:
.Bd -literal -offset indent
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
+add 10.1.10.36 10.1.10.34 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Ed
.\"
.Sh SEE ALSO
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-stable
mailing list