From owner-freebsd-net@FreeBSD.ORG  Fri Jan  6 07:55:57 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 73E55106566C
	for <freebsd-net@FreeBSD.org>; Fri,  6 Jan 2012 07:55:57 +0000 (UTC)
	(envelope-from sthaug@nethelp.no)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33])
	by mx1.freebsd.org (Postfix) with SMTP id BA1008FC0A
	for <freebsd-net@FreeBSD.org>; Fri,  6 Jan 2012 07:55:56 +0000 (UTC)
Received: (qmail 92131 invoked from network); 6 Jan 2012 07:55:55 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33)
	by bizet.nethelp.no with SMTP; 6 Jan 2012 07:55:55 -0000
Date: Fri, 06 Jan 2012 08:55:54 +0100 (CET)
Message-Id: <20120106.085554.74661755.sthaug@nethelp.no>
To: ndenev@gmail.com
From: sthaug@nethelp.no
In-Reply-To: <AE29A978-A91D-48E3-B78A-B406B76EAA60@gmail.com>
References: <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com>
	<20120104.144214.74742226.sthaug@nethelp.no>
	<AE29A978-A91D-48E3-B78A-B406B76EAA60@gmail.com>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@FreeBSD.org
Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 07:55:57 -0000

> > Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only
> > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on
> > 8.2-STABLE.
>
> Hmm, you are right, it seems that my second SAD entries are not used at all.
> However I'm now running with net.inet.tcp.signature_verify_input = 0, because if I set it to 1
> the BGP sessions to my other FreeBSD routers disconnect. (and that is running Quagga).
> Am I the only one who sees this running Quagga? One difference probably is that I have both TCP-MD5 protected
> sessions and ones that are not. And the not protected sessions fail if I start checking ingress tcp signatures.

Have a look at

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=452717+0+current/freebsd-net

This is a nice summary of the different possibilities. And indicates,
if I read it roght, that there *is* indeed a problem.

My case is Quagga bgpd talking to several JunOS routers, only a single
TCP session (with MD5) to each router. This works just fine.

I have never attempted BGP with MD5 between two FreeBSD boxes.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no