On 23/04/2018 15:43, Andrey V. Elsukov wrote:
Your security associations doesn't match your security policies.
Probably you did interfaces reconfiguration without clearing old SAs.
I think your configuration will work, if you first will done if_ipsec(4)
configuration, then start racoon and it will generate SAs.
To clear all old/stale configured SAs you can first stop racoon, then
run `setkey -DF` and `setkey -DPF`.
Hi Andrey
Thanks for your advise: I found typo in my rc.conf and now ipsec
interfaces created with properly reqid.
After all ipsec-interfaces created I have many SPD entries configured
like '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured
ifname=ipsec[25|26|30]
But now I'm sure I have racoon misconfiguration: If I use one "sainfo
anonymous" then all created SA binds to last configured ipsec-interface.
So I need sainfo-entry for every remote-entry.
But I still cann't understand how to bind SPD automatically created by
'ifconfig ipsec30 reqid 30 ...' to SA configured like
=====
remote __Cisco_IP_30__ {
my_identifier address __FreeBSD_IP__;
peers_identifier address __Cisco_IP_30__;
ph1id 30;
}
sainfo ??? {
remoteid 30;
}
=====
If I configure
sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
remoteid 30;
.....
}
then I've got following error
=====
racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0'
peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30
racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__',
rmt='__Cisco_IP_30__', peer='ANY', id=30
racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
racoon: DEBUG: cmpid target: '0.0.0.0/0'
racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
racoon: DEBUG: IV freed
=====
Can you please explain me how sainfo (or something else) must be
properly configured?
Thanks!
--
CU,
Victor Gamov
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
