On 04.04.2017 13:55, Mike Tancsa wrote: >> You have many SAs with the same destination address, it seems to me, >> that this should not work with old IPsec code, because it uses SA >> lookups using only destination address. So, if you have not the same >> password for each SA, it should not work. >> >> Can you try the attached patch? >> > > It did. In the past, inbound sigs I think just didnt work, but it was > uninteresting for the purpose of this app. In this case, it was for bgp
Yes, I checked stable/10 code, it seems TCP-MD5 always used one SA for both inbound and outbound direction. > passwords. I was more concerned with sending the correct password to > the peer. So it was one source IP with many destination addresses (over > a dozen). For the old config I just had the policy in one direction as > well. It seems now with the new ipsec code, I must have the policy in > both directions ? Yes, you need SA for both directions. > The man page for setkey implies I only need one entry. > > Also, should the SPI always been the same, or unique ? SPI is not used by this code, it only needed for compatibility with SADB. Better to use unique SPI for each SA, but for TCP-MD5 it will work anyway. :) -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature