[Solved] Re: IP fast forwarding and setkey

Paul S. contact at winterei.se
Sun Sep 21 14:01:33 UTC 2014 

So, just to notify -- I got a copy of the pfsense port of OpenBGPD 
(available from the pfsense-tools repository -- see 
https://forum.pfsense.org/index.php?topic=76132.0) and TCP-MD5 indeed 
does work in the build.

Configuring local-address per peer is mandatory, however. I think it 
uses that to configure the SPDs.

Cheers!

On 9/21/2014 午後 07:35, Ermal Luçi wrote:
>
>
> On Sun, Sep 21, 2014 at 12:31 PM, Paul S. <contact at winterei.se 
> <mailto:contact at winterei.se>> wrote:
>
>     Ermal,
>
>     I'd prefer a raw BSD installation (Call it a comfort thing, if you
>     will).
>
>     Has the pfSense project actually managed to patch OpenBGPD to
>     remove its dependency on OpenBSD specific bindings for TCP_MD5?
>
>     It might be worth it to just try to build their fork, if that's
>     the case.
>
>     Thank you for responding!
>
>
> Yeah OpenBGPd port of pfSense has the support for installing SPDs 
> without setkey.
>
>
>     On 9/21/2014 午後 07:26, Ermal Luçi wrote:
>>     If for you is an option pfSense has all the hard work done for
>>     you and you can use it for such installations.
>>
>>     On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact at winterei.se
>>     <mailto:contact at winterei.se>> wrote:
>>
>>         Hi folks,
>>
>>         I plan to make an edge router out of a freebsd system with
>>         OpenBGPD + FreeBSD 10, or such.
>>
>>         I've been reading up, and noticed that the
>>         net.inet.ip.fastforwarding flag provides rather nice
>>         performance benefits.
>>
>>         My issue is, my upstream networks insist on using TCP MD5
>>         authentication on their BGP sessions.
>>
>>         This is fine, except on FreeBSD -- I'm going to have to use
>>         the setkey utility to set those since native PF_KEY support
>>         for OpenBGPD does not seem available.
>>
>>         Now, since setkey is part of IPSec, and there are countless
>>         warnings about using IPSec and fastforwarding together in the
>>         manpage, am I correct in assuming that this will not work if
>>         I have fastforwarding enabled?
>>
>>         Is there any way to make it work? Quagga, from what I've
>>         read, seems to also be in the same boat (Usage of setkey
>>         required for TCP MD5).
>>
>>         I tried searching the manpages, but couldn't locate anything
>>         concrete on this.
>>
>>         Any assistance/replies are welcome.
>>
>>         Thank you!
>>         _______________________________________________
>>         freebsd-net at freebsd.org <mailto:freebsd-net at freebsd.org>
>>         mailing list
>>         http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>         To unsubscribe, send any mail to
>>         "freebsd-net-unsubscribe at freebsd.org
>>         <mailto:freebsd-net-unsubscribe at freebsd.org>"
>>
>>
>>
>>
>>     -- 
>>     Ermal
>
>
>
>
> -- 
> Ermal

More information about the freebsd-net mailing list