Date: Thu, 14 Jun 2018 15:24:42 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: (solved) Re: 11.2-RC1 bird 2 BGP invalid ipsec SA/SP Message-ID: <20180614152442.32b43640@mr185083> In-Reply-To: <20180612143447.697681c5@mr185083> References: <20180612143447.697681c5@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Tue, 12 Jun 2018 14:34:47 +0200,
Patrick Lamaiziere <patfbsd@davenulle.org> a =C3=A9crit :
Hello,
=20
> I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP
> connections.
>=20
> Bird2 has an option to set the needed ipsec SA/SP but here this does
> not work.
>=20
> The first entry (0.0.0.0 129.20.128.78) is correct but the second one
> (129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000).
> The spi value changes each time bird runs so it looks uninitialized.
>=20
> # setkey -D
> 129.20.128.78 0.0.0.0
> tcp mode=3Dany spi=3D131144976(0x07d11d10) reqid=3D0(0x00000000)
> A: tcp-md5 32626770 2d313421
> seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
> created: Jun 12 14:15:50 2018 current: Jun 12 14:24:31
> 2018 diff: 521(s) hard: 0(s) soft: 0(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=3D1 pid=3D49180 refcnt=3D1
> 0.0.0.0 129.20.128.78
> tcp mode=3Dany spi=3D4096(0x00001000) reqid=3D0(0x00000000)
> A: tcp-md5 32626770 2d313421
> seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
> created: Jun 12 14:15:50 2018 current: Jun 12 14:24:31
> 2018 diff: 521(s) hard: 0(s) soft: 0(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=3D0 pid=3D49180 refcnt=3D1
Ok bird2 with bgp tcp md5 signature works fine, thanks to all.
Bird used 0.0.0.0 as source address is SA entry and this
is invalid and does not work.
A quick summary :
(Olivier):
Bird needs to know the source address of the bgp connection to set the
good SAD entries. (0.0.0.0 is invalid)
protocol bgp R4inet4 {
local as myas;
# Bird creates IPSEC SAD entry automatically but it need to
know the source IP address
# Otherwise it will use the wrong 0.0.0.0 IP as source
source address 10.0.2.3;
(Andrey)
SPI isn't used with TCP (it doesn't sent over network). It is here,
since it is required to create SA in SADB. In 11.0 the SADB/SPDB were
changed and now each SA must have unique SPI. To not break old
applications the compatibility shim was added, for TCP-MD5 SAs it is
supported to use one SPI 0x1000, and it is allowed when you try to add
several SAs with the same SPI, but actually they will use auto-generated
values.
Thanks a lot, regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180614152442.32b43640>