On 04.04.2017 00:39, Mike Tancsa wrote: > Hi, > I ran into a strange problem when migrating a box that makes use of tcp > md5 signatures. Having these two policies that have IPs which happen to > be 128 octets apart get rejected
It seems you have encrypted your config, because I don't see IP with 128 octets :) One question, does this even worked before? You have many SAs with the same destination address, it seems to me, that this should not work with old IPsec code, because it uses SA lookups using only destination address. So, if you have not the same password for each SA, it should not work. Can you try the attached patch? -- WBR, Andrey V. Elsukov
Index: sys/netipsec/key.c =================================================================== --- sys/netipsec/key.c (revision 316434) +++ sys/netipsec/key.c (working copy) @@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx) kdebug_secash(sah, " ")); if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) { @@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32 LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) {
signature.asc
Description: OpenPGP digital signature