FreeBSD, BGP and md5

Fri Mar 23 14:31:30 CET 2018

Leo,

Thanks for answer. 

As for 11.1 IPSEC is already enabled in GENERIC, so I had to add only TCP_SIGNATURE.

After I'd installed new kernel, BGP auth started working without adding ipsec-related stuff to rc.conf or altering setkey.conf

> On 23 Mar 2018, at 15:37, Leo Vandewoestijne <bird at dns.company> wrote:
> 
> On Fri, 23 Mar 2018, Peter Andreev wrote:
> 
>> Is it still necessary to build custom kernel to get md5 auth working?
>> 
> I'm pretty sure, yes.
> The only way I got it working in 11.1 i.c.w. 1.6.x was:
> 
> # kernel config
> options IPSEC
> options TCP_SIGNATURE
> 
> # /etc/rc.conf
> ipsec_enable="YES"
> ipsec_program="/sbin/setkey"
> ipsec_file="/etc/setkey.conf"
> 
> # /etc/setkey.conf
> flush;		# useful when running mutations manually
> spdflush;	# useful when running mutations manually
> add -4 12.34.56.6 12.34.56.7 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN";
> add -4 12.34.56.7 12.34.56.6 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN";
> 
> And initially nothing in bird.conf (just like I did in OpenBGPd in the pre-Bird era).
> But suddenly -about a year ago- at one Asian location I needed the password option in bird.conf.
> 
> I however do see a setkey patch in the current 1.6.4 port, so I don't know what has changed there.
> I have not used that, as I migrated to 2.0.x, which offered a password option in bird.conf:
> 
> # bird.conf - at the BGP protocol:
> password "teNp8XUrZtNteNjbep68jXgUGroZtUN";
> 
> So the intented design was to only need it in bird.conf,
> but in reality I now only got it working when setting it both in setkey.conf and in bird.conf
> 
> Clearly things have changed, somewhere in 11.1.
> I already noticed IPSEC_NAT_T was removed (which was useful on vlan)
> https://svnweb.freebsd.org/base/stable/11/sys/modules/tcp/tcpmd5/Makefile?view=log&pathrev=315514
> So this week I puzzled some more after having IPSEC_SUPPORT added to the kernel.
> 
> But so far I did not witness any difference, so I'm still with the double config - not a real issue; it works fine.
> 
> 
> So I continued with finding out the correct restrictions/permissions in PF.
> For clarity; the double config "problem" is unrelated to firewalling - I did pretty much all of my testing without.
> I don't wish to threadjack yet, with something in fact unrelated to Bird, but once your problem is solved I'd like to bring that question up.
> 
> 
> Feel free to contact me off list in case you feel any need to.
> 
> 
> -- 
> 
> Met vriendelijke groet,
> With kind regards,
> 
> 
> Leo Vandewoestijne
> <***@dns.company>
> <www.dns.company>

--
Peter Andreev                         MSK-IX/RIPN
+7 (495) 737-0685                DNS Network Operational Center
+7 (499) 192-9179