Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Jun 2018 14:34:47 +0200
From:      Patrick Lamaiziere <patfbsd@davenulle.org>
To:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   11.2-RC1 bird 2 BGP invalid ipsec SA/SP
Message-ID:  <20180612143447.697681c5@mr185083>

next in thread | raw e-mail | index | archive | help
Hello,

I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP
connections.

Bird2 has an option to set the needed ipsec SA/SP but here this does
not work.

The first entry (0.0.0.0 129.20.128.78) is correct but the second one
(129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000). The
spi value changes each time bird runs so it looks uninitialized.

# setkey -D
129.20.128.78 0.0.0.0
	tcp mode=any spi=131144976(0x07d11d10) reqid=0(0x00000000)
	A: tcp-md5  32626770 2d313421
	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=49180 refcnt=1
0.0.0.0 129.20.128.78
	tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
	A: tcp-md5  32626770 2d313421
	seq=0x00000000 replay=0 flags=0x00000040 state=mature 
	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=49180 refcnt=1

Also FreeBSD has a patch on Bird to add the second entry, I think this
patch should be submitted upstream. (I can do it but some explanation
would be welcome)

see also :
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218907

Any clue?

Thanks, regards.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180612143447.697681c5>