From owner-freebsd-net@freebsd.org Thu Jun 14 13:24:58 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34CDA1004896 for ; Thu, 14 Jun 2018 13:24:58 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender-of-o52.zoho.com (sender-of-o52.zoho.com [135.84.80.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5D546A57D for ; Thu, 14 Jun 2018 13:24:57 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by mx.zohomail.com with SMTPS id 152898268671418.293515006400526; Thu, 14 Jun 2018 06:24:46 -0700 (PDT) Date: Thu, 14 Jun 2018 15:24:42 +0200 From: Patrick Lamaiziere To: FreeBSD Net Subject: (solved) Re: 11.2-RC1 bird 2 BGP invalid ipsec SA/SP Message-ID: <20180614152442.32b43640@mr185083> In-Reply-To: <20180612143447.697681c5@mr185083> References: <20180612143447.697681c5@mr185083> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2018 13:24:58 -0000 Le Tue, 12 Jun 2018 14:34:47 +0200, Patrick Lamaiziere a =C3=A9crit : Hello, =20 > I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP > connections. >=20 > Bird2 has an option to set the needed ipsec SA/SP but here this does > not work. >=20 > The first entry (0.0.0.0 129.20.128.78) is correct but the second one > (129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000). > The spi value changes each time bird runs so it looks uninitialized. >=20 > # setkey -D > 129.20.128.78 0.0.0.0 > tcp mode=3Dany spi=3D131144976(0x07d11d10) reqid=3D0(0x00000000) > A: tcp-md5 32626770 2d313421 > seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20 > created: Jun 12 14:15:50 2018 current: Jun 12 14:24:31 > 2018 diff: 521(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3D1 pid=3D49180 refcnt=3D1 > 0.0.0.0 129.20.128.78 > tcp mode=3Dany spi=3D4096(0x00001000) reqid=3D0(0x00000000) > A: tcp-md5 32626770 2d313421 > seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20 > created: Jun 12 14:15:50 2018 current: Jun 12 14:24:31 > 2018 diff: 521(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3D0 pid=3D49180 refcnt=3D1 Ok bird2 with bgp tcp md5 signature works fine, thanks to all. Bird used 0.0.0.0 as source address is SA entry and this is invalid and does not work. A quick summary : (Olivier): Bird needs to know the source address of the bgp connection to set the good SAD entries. (0.0.0.0 is invalid) protocol bgp R4inet4 { local as myas; # Bird creates IPSEC SAD entry automatically but it need to know the source IP address # Otherwise it will use the wrong 0.0.0.0 IP as source source address 10.0.2.3; (Andrey) SPI isn't used with TCP (it doesn't sent over network). It is here, since it is required to create SA in SADB. In 11.0 the SADB/SPDB were changed and now each SA must have unique SPI. To not break old applications the compatibility shim was added, for TCP-MD5 SAs it is supported to use one SPI 0x1000, and it is allowed when you try to add several SAs with the same SPI, but actually they will use auto-generated values. Thanks a lot, regards