Date: Wed, 27 Nov 2013 13:12:33 -0500 From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org> To: Ermal =?utf-8?Q?Lu=C3=A7i?= <eri@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: OpenBGPd + TCP-MD5 sig fails after a few weeks Message-ID: <874n6xu31q.fsf@marcos.anarc.at> In-Reply-To: <CAPBZQG192HxfHfCj7zkWO-Ot95%2BY7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com> References: <87zjoqu3wr.fsf@marcos.anarc.at> <CAPBZQG192HxfHfCj7zkWO-Ot95%2BY7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2013-11-27 05:58:12, Ermal Lu=C3=A7i wrote: > You can use the port here > https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/openbgpd > It has integration with pfkey sockets of FreeBSD in the daemon itself and > you have to specify only th espd policy through setkey. > > It works for pfSense. While it seems to bootstrap properly, it still fails to isntall a security association, in my bgpd.conf: tcp md5sig password "[...]" Startup log: root@rtr0:/usr/home/anarcat # bgpd -d startup rereading config route decision engine ready session engine ready RDE reconfigured listening on 0.0.0.0 listening on :: SE reconfigured neighbor 199.58.81.1 (rtr1): state change None -> Idle, reason: None neighbor 38.104.152.101 (Cogent): state change None -> Idle, reason: None neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start pfkey: Invalid argument neighbor 38.104.152.101 (Cogent): pfkey setup failed neighbor 199.58.81.1 (rtr1): state change Connect -> Active, reason: Connection open failed ^Cneighbor 199.58.81.1 (rtr1): state change Active -> Idle, reason: Stop kernel routing table 0 (Loc-RIB) decoupled pfkey: Invalid argument route decision engine exiting session engine exiting Terminating What do I need to set with setkey? It seems to send the wrong password to the other side: 13:06:33.455309 IP (tos 0x0, ttl 255, id 18405, offset 0, flags [DF], proto= TCP (6), length 68, bad cksum 0 (->b632)!) 38.104.152.102.179 > 38.104.152.101.44659: Flags [S.], cksum 0xe57b (co= rrect), seq 2310073167, ack 669413589, win 65535, options [mss 1436,nop,wsc= ale 6,nop,nop,md5invalid], length 0 After removing the tcpsig from my config, things work again because the other side is initiating the connexion... But connexions initiated from our side are not properly signed. also, I have another bgpd that i want to setup an iBGP session with, and this one loops to death: neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Conn= ection opened neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: = OPEN message received neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reaso= n: KEEPALIVE message received neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping rout= es neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: Conn= ection closed neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Conn= ection opened neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: = OPEN message received neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reaso= n: KEEPALIVE message received neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping rout= es neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: Conn= ection closed ... etc. After restarting the other daemon, it seems to work properly, but that was really scary... neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Conn= ection opened neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: = OPEN message received neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reaso= n: KEEPALIVE message received a. =2D-=20 Freedom is being able to make decisions that affect mainly you. Power is being able to make decisions that affect others more than you. If we confuse power with freedom, we will fail to uphold real freedom. - Richard Stallman --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJSljYRAAoJEHkhUlJ7dZIeNcYP/0fmgxYjjGcohFuQZOOZkVs7 kQYW6i3GIIPUYXKAkBU5YBcd6YlVrId82J1+OklFZofZG/rjpPo1c9nc88hBrnVS lLqkjnf4jHTqGVbDNx9JE4kEgrwoZF3TAm6G4J6JxM7HVjsjQJLrVQhPUS1D8n8/ xYeLHntmIIeXjNIvqAX5GDUfhMJ8W8FpHr06sTbfIx6HigwW0SVfJDjmUX2untZ/ 4nb+D8C39D0ciIu3rOdn0WcY60UwQOuKnnMwy8Cj0f709//N/mYLMRJOdsd5X07u MlijDvwkFtn8OX65wvkgLj4nXeGchAkTi6ZfrikWSkeH58nrOOAS1R7RQpIPNZMM 5SI6NAPmSyMFK9I4XOyQJiYPIxHsWAcX+/bn0ue89ZrP04Nf6L/9EtIM3J9N3Bkq tlNnz/fTHhWixbsQu5fRELeafOTovjY1PPU+9YuZoZcAEfF1x6E3bw4gEIxDdlyz MXSXaplJDG0Bp0JQGMvd9/ZDipglDECsxCiuLDVu0aAUHob4bL30sUXE6FKEK9v8 TfS4OVQlPybiKnkpAkUwfku0x8q+pHyLdz/tQ7taS/DIsUvWG1DF2L/1GoZ3uYej oMvgW3YPKdhDucKsYRfGx0NTPFw9X6/+xky63pt3duWRwz8w00CnK66cwRQAmWlt 0A80jvu2jbcJ2Ehn8B93 =8KC6 -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?874n6xu31q.fsf>