Date: Sun, 21 Sep 2014 12:35:57 +0200 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <eri@freebsd.org> To: "Paul S." <contact@winterei.se> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: IP fast forwarding and setkey Message-ID: <CAPBZQG17gC0zm71i5NZ4G49M1j=Z0Ls=dzejwz_wsFEwBAO3xg@mail.gmail.com> In-Reply-To: <541EA8FE.5080905@winterei.se> References: <541EA396.7050201@winterei.se> <CAPBZQG0gCAzmOqr36VZGV1GSaO_8eXdfPV5GqSzO4g4ju%2B6u2A@mail.gmail.com> <541EA8FE.5080905@winterei.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 21, 2014 at 12:31 PM, Paul S. <contact@winterei.se> wrote: > Ermal, > > I'd prefer a raw BSD installation (Call it a comfort thing, if you will). > > Has the pfSense project actually managed to patch OpenBGPD to remove its > dependency on OpenBSD specific bindings for TCP_MD5? > > It might be worth it to just try to build their fork, if that's the case. > > Thank you for responding! > > Yeah OpenBGPd port of pfSense has the support for installing SPDs without setkey. > > On 9/21/2014 =E5=8D=88=E5=BE=8C 07:26, Ermal Lu=C3=A7i wrote: > > If for you is an option pfSense has all the hard work done for you and yo= u > can use it for such installations. > > On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact@winterei.se> wrote: > >> Hi folks, >> >> I plan to make an edge router out of a freebsd system with OpenBGPD + >> FreeBSD 10, or such. >> >> I've been reading up, and noticed that the net.inet.ip.fastforwarding >> flag provides rather nice performance benefits. >> >> My issue is, my upstream networks insist on using TCP MD5 authentication >> on their BGP sessions. >> >> This is fine, except on FreeBSD -- I'm going to have to use the setkey >> utility to set those since native PF_KEY support for OpenBGPD does not s= eem >> available. >> >> Now, since setkey is part of IPSec, and there are countless warnings >> about using IPSec and fastforwarding together in the manpage, am I corre= ct >> in assuming that this will not work if I have fastforwarding enabled? >> >> Is there any way to make it work? Quagga, from what I've read, seems to >> also be in the same boat (Usage of setkey required for TCP MD5). >> >> I tried searching the manpages, but couldn't locate anything concrete on >> this. >> >> Any assistance/replies are welcome. >> >> Thank you! >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > > > -- > Ermal > > > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG17gC0zm71i5NZ4G49M1j=Z0Ls=dzejwz_wsFEwBAO3xg>