Fwd: Bird / OpenBSD / BGP MD5 authentication walkthrough
Darren Marshall
darren at tuff.org.uk
Wed Feb 22 16:37:16 CET 2017
Stuart,
Brilliant , many thanks for your support , really appreciate it, as soon
as I am able (busy racking kit today), I'll give it a shot and let you know
the outcome.
Cheers daz
On 22 February 2017 at 14:47, Stuart Henderson <stu at spacehopper.org> wrote:
> On 2017/02/22 14:10, Darren Marshall wrote:
> > Hi Stuart,
> >
> > Thanks for the info, not exactly what I was hoping to hear!. I wonder
> > why your tests configuring outside of Bird didn't work?, would you mind
> > sharing your sample /etc/ipsec.conf file ?.
> >
> > You are right , it is inconvenient having to configure the keys outside
> > of Bird, but right now I'd settle for that if I can get a working
> > neighborship using MD5 auth!
>
> Aha: I've figured out a bit more, and got it to actually connect.
> The bit I was missing: bird.conf still needs to have "password" set in
> the config, though the actual value isn't used.
>
> ipsec.conf format is like this:
>
> tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \
> authkey 6d656b6d697461736469676f6174:6d656b6d697461736469676f6174
>
> The SPI numbers need to be unique on the system, two different ones need
> to be given, one for each direction. The key also needs to be repeated
> for both directions. (So, 2x different values for SPI, 2x same for key).
>
> As I mentioned ipsecctl only allows setting a hex key. this is just the
> ascii characters converted to hex, you can convert like this:
>
> $ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo
> 6d6b656d736174696f6769647461
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20170222/bcbfc063/attachment.html>
More information about the Bird-users
mailing list