Hi Victor,
I’m struggling wit the same issue. My sainfo doesn’t match unless I use
anonymous.
Hi Andrey,
What I don’t understand is why a “catchall” policy is added instead of the
policy that matches the inner tunnel.
What is supposed to happen here? Is the IKE daemon supposed to update the
policy once started.
Peter
> On 25 Apr 2018, at 13:48, Victor Gamov <v...@otcnet.ru> wrote:
>
> On 23/04/2018 15:43, Andrey V. Elsukov wrote:
>> Your security associations doesn't match your security policies.
>> Probably you did interfaces reconfiguration without clearing old SAs.
>> I think your configuration will work, if you first will done if_ipsec(4)
>> configuration, then start racoon and it will generate SAs.
>> To clear all old/stale configured SAs you can first stop racoon, then
>> run `setkey -DF` and `setkey -DPF`.
>
> Hi Andrey
>
> Thanks for your advise: I found typo in my rc.conf and now ipsec interfaces
> created with properly reqid.
>
> After all ipsec-interfaces created I have many SPD entries configured like
> '0.0.0.0/0[any] 0.0.0.0/0[any] any' with properly configured
> ifname=ipsec[25|26|30]
>
>
> But now I'm sure I have racoon misconfiguration: If I use one "sainfo
> anonymous" then all created SA binds to last configured ipsec-interface. So I
> need sainfo-entry for every remote-entry.
>
>
> But I still cann't understand how to bind SPD automatically created by
> 'ifconfig ipsec30 reqid 30 ...' to SA configured like
> =====
> remote __Cisco_IP_30__ {
> my_identifier address __FreeBSD_IP__;
> peers_identifier address __Cisco_IP_30__;
> ph1id 30;
> }
> sainfo ??? {
> remoteid 30;
> }
> =====
>
>
> If I configure
> sainfo address __FreeBSD_IP__ any address __Cisco_IP_30 any {
> remoteid 30;
> .....
> }
>
> then I've got following error
> =====
> racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='0.0.0.0/0'
> peer='__Cisco_IP_30__' client='__Cisco_IP_30__' id=30
> racoon: DEBUG: evaluating sainfo: loc='__FreeBSD_IP__',
> rmt='__Cisco_IP_30__', peer='ANY', id=30
> racoon: DEBUG: check and compare ids : value mismatch (IPv4_address)
> racoon: DEBUG: cmpid target: '0.0.0.0/0'
> racoon: DEBUG: cmpid source: '__FreeBSD_IP__'
> racoon: DEBUG: IV freed
> =====
>
>
> Can you please explain me how sainfo (or something else) must be properly
> configured?
>
> Thanks!
>
> --
> CU,
> Victor Gamov
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
