Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 06 Jan 2012 08:55:54 +0100 (CET)
From:      sthaug@nethelp.no
To:        ndenev@gmail.com
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: openbgpds not talking each other since 8.2-STABLE upgrade
Message-ID:  <20120106.085554.74661755.sthaug@nethelp.no>
In-Reply-To: <AE29A978-A91D-48E3-B78A-B406B76EAA60@gmail.com>
References:  <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no> <AE29A978-A91D-48E3-B78A-B406B76EAA60@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> > Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only
> > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on
> > 8.2-STABLE.
>
> Hmm, you are right, it seems that my second SAD entries are not used at all.
> However I'm now running with net.inet.tcp.signature_verify_input = 0, because if I set it to 1
> the BGP sessions to my other FreeBSD routers disconnect. (and that is running Quagga).
> Am I the only one who sees this running Quagga? One difference probably is that I have both TCP-MD5 protected
> sessions and ones that are not. And the not protected sessions fail if I start checking ingress tcp signatures.

Have a look at

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=452717+0+current/freebsd-net

This is a nice summary of the different possibilities. And indicates,
if I read it roght, that there *is* indeed a problem.

My case is Quagga bgpd talking to several JunOS routers, only a single
TCP session (with MD5) to each router. This works just fine.

I have never attempted BGP with MD5 between two FreeBSD boxes.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120106.085554.74661755.sthaug>