Date: Thu, 28 Nov 2013 16:05:55 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: =?ISO-8859-1?Q?Antoine_Beaupr=E9?= <anarcat@koumbit.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: OpenBGPd + TCP-MD5 sig fails after a few weeks Message-ID: <CAPBZQG17w218wB3SsJ8rvCLzP4hKz4N5=zE-YLnMws5H-x2_FQ@mail.gmail.com> In-Reply-To: <874n6xu31q.fsf@marcos.anarc.at> References: <87zjoqu3wr.fsf@marcos.anarc.at> <CAPBZQG192HxfHfCj7zkWO-Ot95%2BY7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com> <874n6xu31q.fsf@marcos.anarc.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 27, 2013 at 7:12 PM, Antoine Beaupr=E9 <anarcat@koumbit.org>wro= te: > On 2013-11-27 05:58:12, Ermal Lu=E7i wrote: > > You can use the port here > > https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/openbgpd > > It has integration with pfkey sockets of FreeBSD in the daemon itself a= nd > > you have to specify only th espd policy through setkey. > > > > It works for pfSense. > > While it seems to bootstrap properly, it still fails to isntall a > security association, in my bgpd.conf: > > tcp md5sig password "[...]" > Probably because you are putting "(quotes) on the password and that is wrong. That means password on the connection is wrong since it has " in it. Think its an issue of the bgpd parser on this. > Startup log: > > root@rtr0:/usr/home/anarcat # bgpd -d > startup > rereading config > route decision engine ready > session engine ready > RDE reconfigured > listening on 0.0.0.0 > listening on :: > SE reconfigured > neighbor 199.58.81.1 (rtr1): state change None -> Idle, reason: None > neighbor 38.104.152.101 (Cogent): state change None -> Idle, reason: > None > neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start > pfkey: Invalid argument > neighbor 38.104.152.101 (Cogent): pfkey setup failed > neighbor 199.58.81.1 (rtr1): state change Connect -> Active, reason: > Connection open failed > ^Cneighbor 199.58.81.1 (rtr1): state change Active -> Idle, reason: Stop > kernel routing table 0 (Loc-RIB) decoupled > pfkey: Invalid argument > route decision engine exiting > session engine exiting > Terminating > > What do I need to set with setkey? > > It seems to send the wrong password to the other side: > > 13:06:33.455309 IP (tos 0x0, ttl 255, id 18405, offset 0, flags [DF], > proto TCP (6), length 68, bad cksum 0 (->b632)!) > 38.104.152.102.179 > 38.104.152.101.44659: Flags [S.], cksum 0xe57b > (correct), seq 2310073167, ack 669413589, win 65535, options [mss > 1436,nop,wscale 6,nop,nop,md5invalid], length 0 > > After removing the tcpsig from my config, things work again because the > other side is initiating the connexion... But connexions initiated from > our side are not properly signed. > > also, I have another bgpd that i want to setup an iBGP session with, and > this one loops to death: > > neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start > neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: > Connection opened > neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason= : > OPEN message received > neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, > reason: KEEPALIVE message received > neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping > routes > neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: > Connection closed > neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start > neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: > Connection opened > neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason= : > OPEN message received > neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, > reason: KEEPALIVE message received > neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping > routes > neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: > Connection closed > > ... etc. After restarting the other daemon, it seems to work properly, > but that was really scary... > > neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: > Connection opened > neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason= : > OPEN message received > neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, > reason: KEEPALIVE message received > > a. > > -- > Freedom is being able to make decisions that affect mainly you. Power > is being able to make decisions that affect others more than you. If > we confuse power with freedom, we will fail to uphold real freedom. > - Richard Stallman > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG17w218wB3SsJ8rvCLzP4hKz4N5=zE-YLnMws5H-x2_FQ>