Hi Victor,

I’m struggling wit the same issue. My sainfo doesn’t match unless I use 
anonymous.

Hi Andrey,

What I don’t understand is why a “catchall” policy is added instead of the 
policy that matches the inner tunnel.

What is supposed to happen here? Is the IKE daemon supposed to update the 
policy once started.

Peter


> On 25 Apr 2018, at 13:48, Victor Gamov <v...@otcnet.ru> wrote:
> 
> On 23/04/2018 15:43, Andrey V. Elsukov wrote:
>> Your security associations doesn't match your security policies.
>> Probably you did interfaces reconfiguration without clearing old SAs.
>> I think your configuration will work, if you first will done if_ipsec(4)
>> configuration, then start racoon and it will generate SAs.
>> To clear all old/stale configured SAs you can first stop racoon, then
>> run `setkey -DF` and `setkey -DPF`.
> 
> Hi Andrey
> 
> Thanks for your advise:  I found typo in my rc.conf and now ipsec interfaces 
> created with properly reqid.
> 
> After all ipsec-interfaces created I have many SPD entries configured like  
> '0.0.0.0/0[any] 0.0.0.0/0[any] any'  with properly configured 
> ifname=ipsec[25|26|30]
> 
> 
> But now I'm sure I have racoon misconfiguration: If I use one "sainfo 
> anonymous" then all created SA binds to last configured ipsec-interface. So I 
> need sainfo-entry for every remote-entry.
> 
> 
> But I still cann't understand how to bind SPD automatically created by
> 'ifconfig ipsec30 reqid 30 ...'  to SA configured like
> =====
> remote __Cisco_IP_30__ {
>  my_identifier address __FreeBSD_IP__;
>  peers_identifier address __Cisco_IP_30__;
>  ph1id 30;
> }
> sainfo ??? {
>  remoteid 30;
> }
> =====
> 
> 
> If I configure
> sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
>   remoteid 30;
>   .....
> }
> 
> then I've got following error
> =====
> racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0' 
> peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30
> racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__', 
> rmt='__Cisco_IP_30__', peer='ANY', id=30
> racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
> racoon: DEBUG: cmpid target: '0.0.0.0/0'
> racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
> racoon: DEBUG: IV freed
> =====
> 
> 
> Can you please explain me how sainfo (or something else) must be properly 
> configured?
> 
> Thanks!
> 
> --
> CU,
> Victor Gamov
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to