can't bound with OOB bonding. SDK13 nRF52 S132

Question

Hi! 
 I can't start project with OOB bonding. If I set settings like just works (MITM = 0, OOB =0), all works correct. But I need more security for bounding. For this reason I want to use OOB bonding. Or you can advise to me another mode for secure bounding. 
 I use on advertise size only MITM = 1, BOND = 1, OOB =1, like discribed here:
 link 
 On the central side I use PM, white list and same settings for OOB bound: MITM = 1, BOND = 1, OOB =1 
 And after start project, no bound central with peripherial.
May be I have some wrongs when PM and white list init on central side? 
 void peer_manager_init(void)
{
ble_gap_sec_params_t sec_param;
ret_code_t err_code;

err_code = pm_init();
APP_ERROR_CHECK(err_code);

memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

sec_param.bond = SEC_PARAM_BOND;
sec_param.mitm = SEC_PARAM_MITM;
sec_param.lesc = SEC_PARAM_LESC;
sec_param.keypress = SEC_PARAM_KEYPRESS;
sec_param.io_caps = SEC_PARAM_IO_CAPABILITIES; 
sec_param.oob = SEC_PARAM_OOB;
sec_param.min_key_size = SEC_PARAM_MIN_KEY_SIZE;
sec_param.max_key_size = SEC_PARAM_MAX_KEY_SIZE;
sec_param.kdist_own.enc = 1;
sec_param.kdist_own.id = 1;
sec_param.kdist_peer.enc = 1;
sec_param.kdist_peer.id = 1;

err_code = pm_sec_params_set(&sec_param);
APP_ERROR_CHECK(err_code);

err_code = pm_register(pm_evt_handler);
APP_ERROR_CHECK(err_code);
}
 
 I whitelist init after scan start: 
 void scan_start(void)
{
uint32_t flash_busy;

if(ble_conn_state_n_centrals() >= CENTRAL_LINK_COUNT)
	return;

scan_stop();

(void) fs_queued_op_count_get(&flash_busy);
if(flash_busy != 0)
 return;

ble_gap_addr_t whitelist_addrs[8];
ble_gap_irk_t whitelist_irks[8];

memset(whitelist_addrs, 0x00, sizeof(whitelist_addrs));
memset(whitelist_irks, 0x00, sizeof(whitelist_irks));

uint32_t addr_cnt = (sizeof(whitelist_addrs) / sizeof(ble_gap_addr_t));
uint32_t irk_cnt = (sizeof(whitelist_irks) / sizeof(ble_gap_irk_t));

whitelist_load();

ret_code_t ret = pm_whitelist_get(whitelist_addrs, &addr_cnt, whitelist_irks, &irk

	m_scan_param.use_whitelist = (((addr_cnt == 0) && (irk_cnt == 0)) || (m_bonding)) ? 0 : 1;

	if(ble_conn_state_n_centrals() == 0)
	{
 m_scan_param.interval = BLE_GAP_SCAN_INTERVAL_MAX;
 m_scan_param.window = BLE_GAP_SCAN_WINDOW_MAX;
	}
	else
	{
 m_scan_param.interval = SCAN_INTERVAL;
 m_scan_param.window = SCAN_WINDOW;
	}
	
ret = sd_ble_gap_scan_start(&m_scan_param);
APP_ERROR_CHECK(ret);
}

Mikhail · Accepted Answer

I use static passkey.
I was try next configuration:
Peripherial - 
 #define SEC_PARAM_BOND 1 
#define SEC_PARAM_MITM 1 
#define SEC_PARAM_LESC 0
#define SEC_PARAM_IO_CAPABILITIES BLE_GAP_IO_CAPS_DISPLAY_ONLY 
#define SEC_PARAM_OOB 0 
...
static void gap_params_init(void)
{
uint32_t err_code;
ble_opt_t static_pin_option;
static_pin_option.gap_opt.passkey.p_passkey = (uint8_t *)pass.passkey;
err_code = sd_ble_opt_set(BLE_GAP_OPT_PASSKEY, &static_pin_option);
APP_ERROR_CHECK(err_code);
...
 
 on central side I use next: 
 #define SEC_PARAM_BOND 1 
#define SEC_PARAM_MITM 1 
#define SEC_PARAM_LESC 0 
#define SEC_PARAM_KEYPRESS 0 
#define SEC_PARAM_IO_CAPABILITIES BLE_GAP_IO_CAPS_KEYBOARD_ONLY 

...

static void gap_params_init(void)
{
uint32_t err_code;
ble_opt_t static_pin_option;
static_pin_option.gap_opt.passkey.p_passkey = (uint8_t *)pass.passkey;
err_code = sd_ble_opt_set(BLE_GAP_OPT_PASSKEY, &static_pin_option);
APP_ERROR_CHECK(err_code);	
 
 Now I can pair and bond those 2 devices. Work fine.
But I claim that if I clone MAC on another,I can connect to central despite was not bonded before.
Check it himself.
My be should use another type of passkey? Just tell me what should I do next? And where should modify in code?