From owner-freebsd-net@FreeBSD.ORG  Fri Nov  4 12:57:06 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 569B6106564A
	for <freebsd-net@freebsd.org>; Fri,  4 Nov 2011 12:57:06 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 1DB848FC0C
	for <freebsd-net@freebsd.org>; Fri,  4 Nov 2011 12:57:05 +0000 (UTC)
Received: from mr12941.univ-rennes1.fr (mr129041.cri.univ-rennes1.fr
	[129.20.129.41])
	by smtp.lamaiziere.net (Postfix) with ESMTPA id 1DF7EFAA31A5;
	Fri,  4 Nov 2011 13:41:40 +0100 (CET)
Received: from mr12941 (localhost.localdomain [127.0.0.1])
	by mr12941.univ-rennes1.fr (Postfix) with ESMTP id B80717A00BE;
	Fri,  4 Nov 2011 13:41:39 +0100 (CET)
Date: Fri, 4 Nov 2011 13:41:39 +0100
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-net@freebsd.org
Message-ID: <20111104134139.0836f380@mr12941>
In-Reply-To: <DB54BC35-03F0-4B1F-A609-8E40036CB94E@sarenet.es>
References: <DB54BC35-03F0-4B1F-A609-8E40036CB94E@sarenet.es>
X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.4; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: Borja Marcos <borjam@sarenet.es>
Subject: Re: FreeBSD 9-RC1, openbgpd, tcp md5
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2011 12:57:06 -0000

Le Fri, 4 Nov 2011 11:13:21 +0100,
Borja Marcos <borjam@sarenet.es> a écrit :

> I'm testing a set up for OpenBGPd with FreeBSD 9-RC1 (amd64). For now
> I'm trying on two virtual machines. Using the stock GENERIC kernel it
> works, although of course it doesn't have TCP MD5 support, which I
> require.
> 
> I've compiled new kernels with the TCP MD5 support (options IPSEC,
> device crypto and options TCP_SIGNATURE), and after installing it on
> both machines OpenBGPd no longer works. No matter if I try to
> configure the bgp sessions with TCP-MD5 or not, the sessions won't
> work.
> 
> Any ideas? As far as I know, this shoud work. The daemon is
> complaning that there's no kernel support for pf_key.

Isn't a new option to build openbgpd with tcp-md5 (and without pf_key)?

I've used TCP-MD5 signature for bgp between a FreeBSD 8.x and OpenBSD,
using setkey(8) to enforce the signature between the peers. That
worked (of course, then you shouldn't use tcp-md5 in openbgd).

setkey(8):
add -4 peer1 peer2 tcp 0x1000 -A tcp-md5 "PASSWORD";
add -4 peer2 peer1 tcp 0x1000 -A tcp-md5 "PASSWORD";

kernconf:
# In order to enable IPSEC you MUST also add device crypto to 
# your kernel configuration
options IPSEC  #IP security (requires device crypto)
device  crypto
options TCP_SIGNATURE #include support for RFC 2385

Regards.