From owner-freebsd-questions@FreeBSD.ORG  Thu Sep  6 15:31:19 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3DFEE1065672
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Sep 2012 15:31:19 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca
	[IPv6:2607:f3e0:0:1::12])
	by mx1.freebsd.org (Postfix) with ESMTP id 002238FC1B
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Sep 2012 15:31:18 +0000 (UTC)
Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18])
	by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id q86FVIk4068897;
	Thu, 6 Sep 2012 11:31:18 -0400 (EDT) (envelope-from mike@sentex.net)
Message-ID: <5048C1BC.3030001@sentex.net>
Date: Thu, 06 Sep 2012 11:31:08 -0400
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: SivaReddy Obili <sivareddy.obili@gmail.com>
References: <CAFtSE5eWYk+Z_2DJdS_yvFsx9OgLUJoYx1FBvSSG9+MTOv1poQ@mail.gmail.com>
In-Reply-To: <CAFtSE5eWYk+Z_2DJdS_yvFsx9OgLUJoYx1FBvSSG9+MTOv1poQ@mail.gmail.com>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18
Cc: freebsd-questions@freebsd.org
Subject: Re: RFC 2385 TCP MD5 support on FreeBSD8.3
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 15:31:19 -0000

On 9/6/2012 11:16 AM, SivaReddy Obili wrote:
> 
> But we were not able to configure BGP MD5 on that machine.

Perhaps you could post some details as to what you tried. Did you
recompile the kernel with MD5 support ?

In the kernel, you need


options    TCP_SIGNATURE
options    IPSEC
device     crypto

If you have not built a customer kernel,
cd /usr/src/sys/i386/conf
cp GENERIC router

in the file router,

options    TCP_SIGNATURE
options    IPSEC
device     crypto


in /etc/make.conf add
KERNCONF=router

cd /usr/src
make -j4 buildkernel && make installkernel


Then, in /etc/ipsec.conf add something like

#.18 is the local machine, .29 the remote machine
add 192.168.134.18 192.168.134.29 tcp 0x1000 -A tcp-md5 "HelloMD5" ;


add to /etc/rc.conf

ipsec_enable="YES"              # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf"    # Name of config file for setkey


cd to /usr/ports/net/quagga and make install

in your bgp config, the peer needs a line like

 neighbor 192.168.134.29 password HelloMD5


	---Mike



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/