Date: Fri, 4 Nov 2011 13:41:39 +0100 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-net@freebsd.org Cc: Borja Marcos <borjam@sarenet.es> Subject: Re: FreeBSD 9-RC1, openbgpd, tcp md5 Message-ID: <20111104134139.0836f380@mr12941> In-Reply-To: <DB54BC35-03F0-4B1F-A609-8E40036CB94E@sarenet.es> References: <DB54BC35-03F0-4B1F-A609-8E40036CB94E@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Fri, 4 Nov 2011 11:13:21 +0100, Borja Marcos <borjam@sarenet.es> a écrit : > I'm testing a set up for OpenBGPd with FreeBSD 9-RC1 (amd64). For now > I'm trying on two virtual machines. Using the stock GENERIC kernel it > works, although of course it doesn't have TCP MD5 support, which I > require. > > I've compiled new kernels with the TCP MD5 support (options IPSEC, > device crypto and options TCP_SIGNATURE), and after installing it on > both machines OpenBGPd no longer works. No matter if I try to > configure the bgp sessions with TCP-MD5 or not, the sessions won't > work. > > Any ideas? As far as I know, this shoud work. The daemon is > complaning that there's no kernel support for pf_key. Isn't a new option to build openbgpd with tcp-md5 (and without pf_key)? I've used TCP-MD5 signature for bgp between a FreeBSD 8.x and OpenBSD, using setkey(8) to enforce the signature between the peers. That worked (of course, then you shouldn't use tcp-md5 in openbgd). setkey(8): add -4 peer1 peer2 tcp 0x1000 -A tcp-md5 "PASSWORD"; add -4 peer2 peer1 tcp 0x1000 -A tcp-md5 "PASSWORD"; kernconf: # In order to enable IPSEC you MUST also add device crypto to # your kernel configuration options IPSEC #IP security (requires device crypto) device crypto options TCP_SIGNATURE #include support for RFC 2385 Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111104134139.0836f380>