Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Sep 2012 17:30:28 +0200
From:      Patrick Lamaiziere <patfbsd@davenulle.org>
To:        SivaReddy Obili <sivareddy.obili@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: RFC 2385 TCP MD5 support on FreeBSD8.3
Message-ID:  <20120906173028.4448600f@mr129166>
In-Reply-To: <CAFtSE5eWYk%2BZ_2DJdS_yvFsx9OgLUJoYx1FBvSSG9%2BMTOv1poQ@mail.gmail.com>
References:  <CAFtSE5eWYk%2BZ_2DJdS_yvFsx9OgLUJoYx1FBvSSG9%2BMTOv1poQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Le Thu, 6 Sep 2012 20:46:53 +0530,
SivaReddy Obili <sivareddy.obili@gmail.com> a écrit :

Hello,

> Recently I've downloaded the FreeBSD 8.3 Release ISO Image
> (FreeBSD-8.3-RELEASE-i386-dvd1 (1).iso) and installed in our machine.
> Actually our requirement is to check the TCP MD5 support on
> FreeBSD8.3 .
> 
> But we were not able to configure BGP MD5 on that machine.

I've used TCP-MD5 signature for bgp between a FreeBSD 8.x and OpenBSD,
using setkey(8) to enforce the signature between the peers. That
worked (of course, then you shouldn't use tcp-md5 in openbgd).

setkey(8):
add -4 peer1 peer2 tcp 0x1000 -A tcp-md5 "PASSWORD";
add -4 peer2 peer1 tcp 0x1000 -A tcp-md5 "PASSWORD";

kernconf:
# In order to enable IPSEC you MUST also add device crypto to 
# your kernel configuration
options IPSEC  #IP security (requires device crypto)
device  crypto
options TCP_SIGNATURE #include support for RFC 2385

You should check that the signature is checked (ie if the signature is
bad, bgpd rejects the connection), I've not test this.

HTH.
Regards.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120906173028.4448600f>