<div dir="ltr">Stuart,<div><br></div><div>Brilliant , many thanks for your support , really appreciate it, as soon as I am able (busy racking kit today), I'll give it a shot and let you know the outcome.</div><div><br></div><div>Cheers daz</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 22 February 2017 at 14:47, Stuart Henderson <span dir="ltr"><<a href="mailto:stu@spacehopper.org" target="_blank">stu@spacehopper.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2017/02/22 14:10, Darren Marshall wrote:<br>
> Hi Stuart,<br>
><br>
> Thanks for the info, not exactly what I was hoping to hear!. I wonder<br>
> why your tests configuring outside of Bird didn't work?, would you mind<br>
> sharing your sample /etc/ipsec.conf file ?. <br>
><br>
> You are right , it is inconvenient having to configure the keys outside<br>
> of Bird, but right now I'd settle for that if I can get a working<br>
> neighborship using MD5 auth!<br>
<br>
Aha: I've figured out a bit more, and got it to actually connect.<br>
The bit I was missing: bird.conf still needs to have "password" set in<br>
the config, though the actual value isn't used.<br>
<br>
ipsec.conf format is like this:<br>
<br>
tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \<br>
authkey 6d656b6d697461736469676f6174:<wbr>6d656b6d697461736469676f6174<br>
<br>
The SPI numbers need to be unique on the system, two different ones need<br>
to be given, one for each direction. The key also needs to be repeated<br>
for both directions. (So, 2x different values for SPI, 2x same for key).<br>
<br>
As I mentioned ipsecctl only allows setting a hex key. this is just the<br>
ascii characters converted to hex, you can convert like this:<br>
<br>
$ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo<br>
6d6b656d736174696f6769647461<br>
<br>
</blockquote></div><br></div>