On 12.06.2018 17:02, Patrick Lamaiziere wrote: > # setkey -f /etc/ipsec.conf > # setkey -D > 129.20.128.149 129.20.128.78 > tcp mode=any spi=106079004(0x0652a31c) reqid=0(0x00000000) > A: tcp-md5 73656372 6574 > seq=0x00000000 replay=0 flags=0x00000040 state=mature > created: Jun 12 15:57:28 2018 current: Jun 12 15:57:36 > 2018 > diff: 8(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=5405 refcnt=1 > 129.20.128.78 129.20.128.149 > tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000) > A: tcp-md5 73656372 6574 > seq=0x00000000 replay=0 flags=0x00000040 state=mature > created: Jun 12 15:57:28 2018 current: Jun 12 15:57:36 > 2018 > diff: 8(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=5405 refcnt=1 > > spi field looks wrongs :( > > That works fine on FreeBSD 10.3 > > Same problem on a FreeBSD 11.1-STABLE #1 r326391: Thu Nov 30 12:07:50 > CET 2017
SPI isn't used with TCP (it doesn't sent over network). It is here, since it is required to create SA in SADB. In 11.0 the SADB/SPDB were changed and now each SA must have unique SPI. To not break old applications the compatibility shim was added, for TCP-MD5 SAs it is supported to use one SPI 0x1000, and it is allowed when you try to add several SAs with the same SPI, but actually they will use auto-generated values. Two years ago I have sent the patch to bird developers, but have not received any answers. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature