IP fast forwarding and setkey
Jim Thompson
jim at netgate.com
Sun Sep 21 18:45:00 UTC 2014
> On Sep 21, 2014, at 10:41, Olivier Cochard-Labbé <olivier at cochard.me> wrote:
>
>> On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact at winterei.se> wrote:
>>
>> Hi folks,
>>
>> I plan to make an edge router out of a freebsd system with OpenBGPD +
>> FreeBSD 10, or such.
>>
>> I've been reading up, and noticed that the net.inet.ip.fastforwarding flag
>> provides rather nice performance benefits.
>>
>> My issue is, my upstream networks insist on using TCP MD5 authentication
>> on their BGP sessions.
>>
>> This is fine, except on FreeBSD -- I'm going to have to use the setkey
>> utility to set those since native PF_KEY support for OpenBGPD does not seem
>> available.
>>
>> Now, since setkey is part of IPSec, and there are countless warnings about
>> using IPSec and fastforwarding together in the manpage, am I correct in
>> assuming that this will not work if I have fastforwarding enabled?
>>
>> Is there any way to make it work? Quagga, from what I've read, seems to
>> also be in the same boat (Usage of setkey required for TCP MD5).
> fastforwarding is not compatible with IPSec only but can be used with
> TCP_MD5 without problem (tested on FreeBSD 10-stable).
Even this is solvable, and will likely occur in a future version of pfSense.
Jim
More information about the freebsd-net
mailing list