FreeBSD 9-RC1, openbgpd, tcp md5
Patrick Lamaiziere
patfbsd at davenulle.org
Fri Nov 4 12:57:06 UTC 2011
Le Fri, 4 Nov 2011 11:13:21 +0100,
Borja Marcos <borjam at sarenet.es> a écrit :
> I'm testing a set up for OpenBGPd with FreeBSD 9-RC1 (amd64). For now
> I'm trying on two virtual machines. Using the stock GENERIC kernel it
> works, although of course it doesn't have TCP MD5 support, which I
> require.
>
> I've compiled new kernels with the TCP MD5 support (options IPSEC,
> device crypto and options TCP_SIGNATURE), and after installing it on
> both machines OpenBGPd no longer works. No matter if I try to
> configure the bgp sessions with TCP-MD5 or not, the sessions won't
> work.
>
> Any ideas? As far as I know, this shoud work. The daemon is
> complaning that there's no kernel support for pf_key.
Isn't a new option to build openbgpd with tcp-md5 (and without pf_key)?
I've used TCP-MD5 signature for bgp between a FreeBSD 8.x and OpenBSD,
using setkey(8) to enforce the signature between the peers. That
worked (of course, then you shouldn't use tcp-md5 in openbgd).
setkey(8):
add -4 peer1 peer2 tcp 0x1000 -A tcp-md5 "PASSWORD";
add -4 peer2 peer1 tcp 0x1000 -A tcp-md5 "PASSWORD";
kernconf:
# In order to enable IPSEC you MUST also add device crypto to
# your kernel configuration
options IPSEC #IP security (requires device crypto)
device crypto
options TCP_SIGNATURE #include support for RFC 2385
Regards.
More information about the freebsd-net
mailing list