11.2-RC1 setkey invalid spi ?

Patrick Lamaiziere patfbsd at davenulle.org
Tue Jun 12 14:02:13 UTC 2018 

Le Tue, 12 Jun 2018 14:34:47 +0200,
Patrick Lamaiziere <patfbsd at davenulle.org> a écrit :

Hello

I change the subject because this is not at all related to bird.

> I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP
> connections.
> 
> Bird2 has an option to set the needed ipsec SA/SP but here this does
> not work.
> 
> The first entry (0.0.0.0 129.20.128.78) is correct but the second one
> (129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000).
> The spi value changes each time bird runs so it looks uninitialized.
> 
> # setkey -D
> 129.20.128.78 0.0.0.0
> 	tcp mode=any spi=131144976(0x07d11d10) reqid=0(0x00000000)
> 	A: tcp-md5  32626770 2d313421
> 	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
> 	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
> 2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
> 	last:                     	hard: 0(s)	soft: 0(s)
> 	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
> 	allocated: 0	hard: 0	soft: 0
> 	sadb_seq=1 pid=49180 refcnt=1
> 0.0.0.0 129.20.128.78
> 	tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
> 	A: tcp-md5  32626770 2d313421
> 	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
> 	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
> 2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
> 	last:                     	hard: 0(s)	soft: 0(s)
> 	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
> 	allocated: 0	hard: 0	soft: 0
> 	sadb_seq=0 pid=49180 refcnt=1

Well I can reproduce this problem by using setkey(8) :

/etc/ipsec.conf
add 129.20.128.78 129.20.128.149 tcp 0x1000 -A tcp-md5 "secret";
add 129.20.128.149 129.20.128.78 tcp 0x1000 -A tcp-md5 "secret";

# setkey -D
No SAD entries.

# setkey -f /etc/ipsec.conf
# setkey -D
129.20.128.149 129.20.128.78
	tcp mode=any spi=106079004(0x0652a31c) reqid=0(0x00000000)
	A: tcp-md5  73656372 6574
	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
	created: Jun 12 15:57:28 2018	current: Jun 12 15:57:36
2018
	diff: 8(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=5405 refcnt=1
129.20.128.78 129.20.128.149
	tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
	A: tcp-md5  73656372 6574
	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
	created: Jun 12 15:57:28 2018	current: Jun 12 15:57:36
2018
	diff: 8(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=5405 refcnt=1

spi field looks wrongs :(

That works fine on FreeBSD 10.3

Same problem on a FreeBSD 11.1-STABLE #1 r326391: Thu Nov 30 12:07:50
CET 2017 

Regards.

More information about the freebsd-net mailing list