From owner-freebsd-questions@FreeBSD.ORG  Thu Sep  6 15:30:36 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A63C3106566C
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Sep 2012 15:30:36 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 6B1C38FC0A
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Sep 2012 15:30:35 +0000 (UTC)
Received: from baby-jane.lamaiziere.net (mr129166.cri.univ-rennes1.fr
	[129.20.129.166])
	by smtp.lamaiziere.net (Postfix) with ESMTPA id 31DBCCE25;
	Thu,  6 Sep 2012 17:30:29 +0200 (CEST)
Received: from mr129166 (localhost [127.0.0.1])
	by baby-jane.lamaiziere.net (Postfix) with ESMTP id A9A886078;
	Thu,  6 Sep 2012 17:30:28 +0200 (CEST)
Date: Thu, 6 Sep 2012 17:30:28 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: SivaReddy Obili <sivareddy.obili@gmail.com>
Message-ID: <20120906173028.4448600f@mr129166>
In-Reply-To: <CAFtSE5eWYk+Z_2DJdS_yvFsx9OgLUJoYx1FBvSSG9+MTOv1poQ@mail.gmail.com>
References: <CAFtSE5eWYk+Z_2DJdS_yvFsx9OgLUJoYx1FBvSSG9+MTOv1poQ@mail.gmail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd9)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: RFC 2385 TCP MD5 support on FreeBSD8.3
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 15:30:36 -0000

Le Thu, 6 Sep 2012 20:46:53 +0530,
SivaReddy Obili <sivareddy.obili@gmail.com> a écrit :

Hello,

> Recently I've downloaded the FreeBSD 8.3 Release ISO Image
> (FreeBSD-8.3-RELEASE-i386-dvd1 (1).iso) and installed in our machine.
> Actually our requirement is to check the TCP MD5 support on
> FreeBSD8.3 .
> 
> But we were not able to configure BGP MD5 on that machine.

I've used TCP-MD5 signature for bgp between a FreeBSD 8.x and OpenBSD,
using setkey(8) to enforce the signature between the peers. That
worked (of course, then you shouldn't use tcp-md5 in openbgd).

setkey(8):
add -4 peer1 peer2 tcp 0x1000 -A tcp-md5 "PASSWORD";
add -4 peer2 peer1 tcp 0x1000 -A tcp-md5 "PASSWORD";

kernconf:
# In order to enable IPSEC you MUST also add device crypto to 
# your kernel configuration
options IPSEC  #IP security (requires device crypto)
device  crypto
options TCP_SIGNATURE #include support for RFC 2385

You should check that the signature is checked (ie if the signature is
bad, bgpd rejects the connection), I've not test this.

HTH.
Regards.