[Bug 218907] tcpmd5 kernel module on STABLE/11 doesn't work with vultr bgp via bird

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218907

            Bug ID: 218907
           Summary: tcpmd5 kernel module on STABLE/11 doesn't work with
                    vultr bgp via bird
           Product: Base System
           Version: 11.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: freebsd-bugs at joe.mulloy.me

Hello,

I have setup some servers on the cloud provider Vultr and I have set up a
floating IP for load balancing/high availability via BGP. Vultr's BGP system
requires using an MD5 TCP signature which before r313330 in current and r315514
in stable/11 was not available as a module and required compiling a custom
kernel with the TCP_SIGNATURE option enabled. I prefer to be able to just use
freebsd-update so I found this quite inconvenient, but I am dealing with
compiling and distributing a custom kernel anyways. However with this kernel my
servers keep freezing with no useful error message which is incredibly
frustrating. I figured that perhaps now that this functionality has been
getting some work that whatever bug I'm hitting may be fixed in STABLE/11. So I
tried using the kernel in the snapshot tarball for STABLE/11, but it's lacking
the IPSEC_SUPPORT option, so I still have to compile my own kernel for the
tcpmd5 module to load/work. I've done this, I have built the STABLE/11 kernel
from r317316 and the module loads and bird doesn't complain about the TCP MD5
feature being missing. However BIRD isn't able to actually establish a
connection to the other end, so it seems the TCP MD5 feature is now broken. I
haven't upgraded my userland, it's still 11.0-RELEASE-p9 but I believe it
should still work fine on an 11/STABLE kernel.

Perhaps I'm doing something wrong here, but I can't figure out a working
solution and I can't find any documentation. It seems this md5 tcp signature
feature is rarely used and hard to even turn on. 

Please let me know what I can do to assist in debugging these issues. I'm glad
that tcp md5 signatures will finally be easy to enable. I hope it won't be to
hard to get this fixed.

Issues:

1. IPSEC_SUPPORT still not enabled in GENERIC kernel, so I still have to
compile my own kernel for the tcpmd5 kernel module to actually work
2. The tcp md5 signature feature doesn't seem to work, the other end rejects my
server as if I had the wrong password.

Vultr BGP Guide:
https://www.vultr.com/docs/high-availability-on-vultr-with-floating-ip-and-bgp

Bug tracking the splitting of ipsec and tcp md5 to seperate kernel modules.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212018

Bird output showing that BGP session can't be established.
root at vps-vu-nj-1b:~ # birdc show proto all vultr
BIRD 1.6.3 ready.
name     proto    table    state  since       info
vultr    BGP      master   start  05:14:24    Connect       Socket: Connection
refused
  Preference:     100
  Input filter:   REJECT
  Output filter:  ACCEPT
  Routes:         0 imported, 0 exported, 0 preferred
  Route change stats:     received   rejected   filtered    ignored   accepted
    Import updates:              0          0          0          0          0
    Import withdraws:            0          0        ---          0          0
    Export updates:              0          0          0        ---          0
    Export withdraws:            0        ---        ---        ---          0
  BGP state:          Connect
    Neighbor address: 169.254.169.254
    Neighbor AS:      64515
    Last error:       Socket: Connection refused

-- 
You are receiving this mail because:
You are the assignee for the bug.