Fwd: Bird / OpenBSD / BGP MD5 authentication walkthrough

Stuart Henderson stu at spacehopper.org
Wed Feb 22 15:47:17 CET 2017


On 2017/02/22 14:10, Darren Marshall wrote:
> Hi Stuart,
> 
> Thanks for the info, not exactly what I was hoping to hear!. I wonder
> why your tests configuring outside of Bird didn't work?, would you mind
> sharing your sample /etc/ipsec.conf file ?. 
> 
> You are right , it is inconvenient having to configure the keys outside
> of Bird, but right now I'd settle for that if I can get a working
> neighborship using MD5 auth!

Aha: I've figured out a bit more, and got it to actually connect.
The bit I was missing: bird.conf still needs to have "password" set in
the config, though the actual value isn't used.

ipsec.conf format is like this:

   tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \
	authkey 6d656b6d697461736469676f6174:6d656b6d697461736469676f6174

The SPI numbers need to be unique on the system, two different ones need
to be given, one for each direction. The key also needs to be repeated
for both directions. (So, 2x different values for SPI, 2x same for key).

As I mentioned ipsecctl only allows setting a hex key. this is just the
ascii characters converted to hex, you can convert like this:

$ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo
6d6b656d736174696f6769647461



More information about the Bird-users mailing list