Date: Fri, 6 Jan 2012 08:37:46 +0200 From: Nikolay Denev <ndenev@gmail.com> To: sthaug@nethelp.no Cc: freebsd-net@FreeBSD.org, dougb@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <AE29A978-A91D-48E3-B78A-B406B76EAA60@gmail.com> In-Reply-To: <20120104.144214.74742226.sthaug@nethelp.no> References: <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 4, 2012, at 3:42 PM, sthaug@nethelp.no wrote: >> You are setting the keys with setkey for both directions of a single = session, right? >> i.e.: >>=20 >> add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass"; >> add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass"; >>=20 >> As before it was only needed to set the "outgoing" direction key, = which should not work anymore unless=20 >> net.inet.tcp.signature_verify_input is zero. >=20 > Are you sure? I have net.inet.tcp.signature_verify_input =3D 1 and = only > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on > 8.2-STABLE. >=20 > Steinar Haug, Nethelp consulting, sthaug@nethelp.no Hmm, you are right, it seems that my second SAD entries are not used at = all. However I'm now running with net.inet.tcp.signature_verify_input =3D 0, = because if I set it to 1 the BGP sessions to my other FreeBSD routers disconnect. (and that is = running Quagga). Am I the only one who sees this running Quagga? One difference probably = is that I have both TCP-MD5 protected sessions and ones that are not. And the not protected sessions fail if I = start checking ingress tcp signatures.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE29A978-A91D-48E3-B78A-B406B76EAA60>