From owner-freebsd-net@FreeBSD.ORG Fri Jan 6 06:37:51 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7962106564A; Fri, 6 Jan 2012 06:37:51 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2A7B18FC0C; Fri, 6 Jan 2012 06:37:50 +0000 (UTC) Received: by eekc50 with SMTP id c50so1007468eek.13 for ; Thu, 05 Jan 2012 22:37:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=w7CZMFck019JD6OpmnK4Cgn1bq1/1/WC502ZtnO+Dk0=; b=ZIqeQNQe/LGpTdTsLN5u5h31p2O22JQa9Vv1f5XCzqK1fCPvC3dGWh00IAMXRuQG6G y+4XNj34duMa0TrYogDFGCZk8D1sRghXt7Iy2jN9qwQYaIjJz/ANSYN4eHolUuDIv/n2 U9JJJbKiBeuvVXaRu5fZdxS4V74C9qKoDu0jc= Received: by 10.213.113.20 with SMTP id y20mr1036234ebp.34.1325831869650; Thu, 05 Jan 2012 22:37:49 -0800 (PST) Received: from imba-brutale.totalterror.net ([93.152.152.135]) by mx.google.com with ESMTPS id 76sm243640500eeh.0.2012.01.05.22.37.47 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 Jan 2012 22:37:48 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Nikolay Denev In-Reply-To: <20120104.144214.74742226.sthaug@nethelp.no> Date: Fri, 6 Jan 2012 08:37:46 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no> To: sthaug@nethelp.no X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-net@FreeBSD.org, dougb@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 06:37:51 -0000 On Jan 4, 2012, at 3:42 PM, sthaug@nethelp.no wrote: >> You are setting the keys with setkey for both directions of a single = session, right? >> i.e.: >>=20 >> add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass"; >> add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass"; >>=20 >> As before it was only needed to set the "outgoing" direction key, = which should not work anymore unless=20 >> net.inet.tcp.signature_verify_input is zero. >=20 > Are you sure? I have net.inet.tcp.signature_verify_input =3D 1 and = only > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on > 8.2-STABLE. >=20 > Steinar Haug, Nethelp consulting, sthaug@nethelp.no Hmm, you are right, it seems that my second SAD entries are not used at = all. However I'm now running with net.inet.tcp.signature_verify_input =3D 0, = because if I set it to 1 the BGP sessions to my other FreeBSD routers disconnect. (and that is = running Quagga). Am I the only one who sees this running Quagga? One difference probably = is that I have both TCP-MD5 protected sessions and ones that are not. And the not protected sessions fail if I = start checking ingress tcp signatures.