TCP-MD5

Hi,

I've had TCP-MD5 working on an old FreeBSD 4.x, it crashed and I've
reinstalled a FreeBSD 6.x now. Everything is working fine exept the
TCP-MD5 part.
I am using it for Quagga BGP-MD5. All peers I'm trying to talk to sais
that my key is invalid, even tho I set it up on a machine I control
myself and copy-paste the key it the peer sais the key is invalid.

Has the syntax changed on how to set this up ?

I've compiled the kernel with
<snip>
FAST_IPSEC
TCP_SIGNATURE
device crypto
device crytpodev
</snip>

and added QUAGGA_MD5_SIGNATURE(or whatever it is called) to the
configuration of Quagga but still receive the same result.

When I run
"setkey -D" it shows me a dump of the peers, as expected, and from what
I can tell it is correct.
I do receive alot of errors like "tcp_signature_compute: SADB lookup
failed for <peer-ip>" even tho the key is valid.

I've tried compiling the kernel with "IPSEC" and not "FAST_IPSEC" too
but with the same result.

My " setkey -D " dump looks somewhat like this
<snip>
<sourceip> <peerip>
tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
A: tcp-md5 xxxxxxxx xxxxxx
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Apr 4 13:57:36 2006 current: Apr 4 15:47:20 2006
diff: 6584(s) hard: 0(s) soft: 0(s)
last: Apr 4 15:14:30 2006 hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 64 hard: 0 soft: 0
sadb_seq=0 pid=xxxxx refcnt=1
</snip>
(Some information has been overwritten with " x ".)

"setkey -DP" gives me "No SPD entries." which is probably as it should.

My " /etc/ipsec.conf " configuration file looks something like this
<snip>
flush ;
add -4 <sourceip> <peerip> tcp 0x1000 -A tcp-md5 "<validBGPKey>" ;
</snip>

And in my Quagga configuration it has a "neighbor <peerip> password
<validBGPKey>" entry.


--
Best regards,
Patrik
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: [Xorp-users] MD5 Support
    ... All the XORP support does is enable and disable the use of the TCP_MD5SIG ... On FreeBSD, there is an example in the setkeyman page. ... TCP-MD5 security associations directly. ...
    (freebsd-net)
  • Re: tcp-md5 check for incomming connection
    ... linux does already support tcp-md5 checks for incomming connections, ... I would like to implement this feature into freebsd. ... Inbound processing for tcp-md5 isn't really that big a deal, I'm amazed it hasn't been deprecated and replaced with something less gnarly, but that's the inertia of stuff at internet exchanges for you and with good reason too. ... I don't have free time to do any of this, but I can try to make time to review patches if Someonewrites the support. ...
    (freebsd-net)