FreeBSD, BGP and md5
Leo Vandewoestijne
bird at unicycle.net
Fri Mar 23 13:40:41 CET 2018
On Fri, 23 Mar 2018, Peter Andreev wrote:
> Is it still necessary to build custom kernel to get md5 auth working?
>
I'm pretty sure, yes.
The only way I got it working in 11.1 i.c.w. 1.6.x was:
# kernel config
options IPSEC
options TCP_SIGNATURE
# /etc/rc.conf
ipsec_enable="YES"
ipsec_program="/sbin/setkey"
ipsec_file="/etc/setkey.conf"
# /etc/setkey.conf
flush; # useful when running mutations manually
spdflush; # useful when running mutations manually
add -4 12.34.56.6 12.34.56.7 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN";
add -4 12.34.56.7 12.34.56.6 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN";
And initially nothing in bird.conf (just like I did in OpenBGPd in the pre-Bird era).
But suddenly -about a year ago- at one Asian location I needed the password option in bird.conf.
I however do see a setkey patch in the current 1.6.4 port, so I don't know what has changed there.
I have not used that, as I migrated to 2.0.x, which offered a password option in bird.conf:
# bird.conf - at the BGP protocol:
password "teNp8XUrZtNteNjbep68jXgUGroZtUN";
So the intented design was to only need it in bird.conf,
but in reality I now only got it working when setting it both in setkey.conf and in bird.conf
Clearly things have changed, somewhere in 11.1.
I already noticed IPSEC_NAT_T was removed (which was useful on vlan)
https://svnweb.freebsd.org/base/stable/11/sys/modules/tcp/tcpmd5/Makefile?view=log&pathrev=315514
So this week I puzzled some more after having IPSEC_SUPPORT added to the kernel.
But so far I did not witness any difference, so I'm still with the double config - not a real issue; it works fine.
So I continued with finding out the correct restrictions/permissions in PF.
For clarity; the double config "problem" is unrelated to firewalling - I did pretty much all of my testing without.
I don't wish to threadjack yet, with something in fact unrelated to Bird, but once your problem is solved I'd like to bring that question up.
Feel free to contact me off list in case you feel any need to.
--
Met vriendelijke groet,
With kind regards,
Leo Vandewoestijne
<***@dns.company>
<www.dns.company>
More information about the Bird-users
mailing list