Hi Victor, I’m struggling wit the same issue. My sainfo doesn’t match unless I use anonymous.
Hi Andrey, What I don’t understand is why a “catchall” policy is added instead of the policy that matches the inner tunnel. What is supposed to happen here? Is the IKE daemon supposed to update the policy once started. Peter > On 25 Apr 2018, at 13:48, Victor Gamov <v...@otcnet.ru> wrote: > > On 23/04/2018 15:43, Andrey V. Elsukov wrote: >> Your security associations doesn't match your security policies. >> Probably you did interfaces reconfiguration without clearing old SAs. >> I think your configuration will work, if you first will done if_ipsec(4) >> configuration, then start racoon and it will generate SAs. >> To clear all old/stale configured SAs you can first stop racoon, then >> run `setkey -DF` and `setkey -DPF`. > > Hi Andrey > > Thanks for your advise: I found typo in my rc.conf and now ipsec interfaces > created with properly reqid. > > After all ipsec-interfaces created I have many SPD entries configured like > '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured > ifname=ipsec[25|26|30] > > > But now I'm sure I have racoon misconfiguration: If I use one "sainfo > anonymous" then all created SA binds to last configured ipsec-interface. So I > need sainfo-entry for every remote-entry. > > > But I still cann't understand how to bind SPD automatically created by > 'ifconfig ipsec30 reqid 30 ...' to SA configured like > ===== > remote __Cisco_IP_30__ { > my_identifier address __FreeBSD_IP__; > peers_identifier address __Cisco_IP_30__; > ph1id 30; > } > sainfo ??? { > remoteid 30; > } > ===== > > > If I configure > sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any { > remoteid 30; > ..... > } > > then I've got following error > ===== > racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0' > peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30 > racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__', > rmt='__Cisco_IP_30__', peer='ANY', id=30 > racoon: DEBUG: check and compare ids : value mismatch (IPv4_address) > racoon: DEBUG: cmpid target: '0.0.0.0/0' > racoon: DEBUG: cmpid source: '__FreeBSD_IP__' > racoon: DEBUG: IV freed > ===== > > > Can you please explain me how sainfo (or something else) must be properly > configured? > > Thanks! > > -- > CU, > Victor Gamov > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"