On 4/4/2017 7:18 AM, Andrey V. Elsukov wrote:
> On 04.04.2017 13:55, Mike Tancsa wrote:
>
> Yes, you need SA for both directions.
>
>> The man page for setkey implies I only need one entry.
>>
>> Also, should the SPI always been the same, or unique ?
>
> SPI is not used by this code, it only nee
On 4/4/2017 7:18 AM, Andrey V. Elsukov wrote:
> On 04.04.2017 13:55, Mike Tancsa wrote:
>>> You have many SAs with the same destination address, it seems to me,
>>> that this should not work with old IPsec code, because it uses SA
>>> lookups using only destination address. So, if you have not the
On 04.04.2017 13:55, Mike Tancsa wrote:
>> You have many SAs with the same destination address, it seems to me,
>> that this should not work with old IPsec code, because it uses SA
>> lookups using only destination address. So, if you have not the same
>> password for each SA, it should not work.
>
On 4/4/2017 2:24 AM, Andrey V. Elsukov wrote:
> On 04.04.2017 00:39, Mike Tancsa wrote:
> It seems you have encrypted your config, because I don't see IP with 128
> octets :)
:)
>
> One question, does this even worked before?
> You have many SAs with the same destination address, it seems to m
On 04.04.2017 00:39, Mike Tancsa wrote:
> Hi,
> I ran into a strange problem when migrating a box that makes use of tcp
> md5 signatures. Having these two policies that have IPs which happen to
> be 128 octets apart get rejected
It seems you have encrypted your config, because I don't see IP
Hi,
I ran into a strange problem when migrating a box that makes use of tcp
md5 signatures. Having these two policies that have IPs which happen to
be 128 octets apart get rejected
add 10.50.34.158 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-