Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Jun 2018 16:02:03 +0200
From:      Patrick Lamaiziere <patfbsd@davenulle.org>
To:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: 11.2-RC1 setkey invalid spi ?
Message-ID:  <20180612160116.58df4001@mr185083>
In-Reply-To: <20180612143447.697681c5@mr185083>
References:  <20180612143447.697681c5@mr185083>

next in thread | previous in thread | raw e-mail | index | archive | help
Le Tue, 12 Jun 2018 14:34:47 +0200,
Patrick Lamaiziere <patfbsd@davenulle.org> a =C3=A9crit :

Hello

I change the subject because this is not at all related to bird.

> I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP
> connections.
>=20
> Bird2 has an option to set the needed ipsec SA/SP but here this does
> not work.
>=20
> The first entry (0.0.0.0 129.20.128.78) is correct but the second one
> (129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000).
> The spi value changes each time bird runs so it looks uninitialized.
>=20
> # setkey -D
> 129.20.128.78 0.0.0.0
> 	tcp mode=3Dany spi=3D131144976(0x07d11d10) reqid=3D0(0x00000000)
> 	A: tcp-md5  32626770 2d313421
> 	seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
> 	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
> 2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
> 	last:                     	hard: 0(s)	soft: 0(s)
> 	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
> 	allocated: 0	hard: 0	soft: 0
> 	sadb_seq=3D1 pid=3D49180 refcnt=3D1
> 0.0.0.0 129.20.128.78
> 	tcp mode=3Dany spi=3D4096(0x00001000) reqid=3D0(0x00000000)
> 	A: tcp-md5  32626770 2d313421
> 	seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
> 	created: Jun 12 14:15:50 2018	current: Jun 12 14:24:31
> 2018 diff: 521(s)	hard: 0(s)	soft: 0(s)
> 	last:                     	hard: 0(s)	soft: 0(s)
> 	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
> 	allocated: 0	hard: 0	soft: 0
> 	sadb_seq=3D0 pid=3D49180 refcnt=3D1

Well I can reproduce this problem by using setkey(8) :

/etc/ipsec.conf
add 129.20.128.78 129.20.128.149 tcp 0x1000 -A tcp-md5 "secret";
add 129.20.128.149 129.20.128.78 tcp 0x1000 -A tcp-md5 "secret";

# setkey -D
No SAD entries.

# setkey -f /etc/ipsec.conf
# setkey -D
129.20.128.149 129.20.128.78
	tcp mode=3Dany spi=3D106079004(0x0652a31c) reqid=3D0(0x00000000)
	A: tcp-md5  73656372 6574
	seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
	created: Jun 12 15:57:28 2018	current: Jun 12 15:57:36
2018
	diff: 8(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=3D1 pid=3D5405 refcnt=3D1
129.20.128.78 129.20.128.149
	tcp mode=3Dany spi=3D4096(0x00001000) reqid=3D0(0x00000000)
	A: tcp-md5  73656372 6574
	seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20
	created: Jun 12 15:57:28 2018	current: Jun 12 15:57:36
2018
	diff: 8(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=3D0 pid=3D5405 refcnt=3D1

spi field looks wrongs :(

That works fine on FreeBSD 10.3

Same problem on a FreeBSD 11.1-STABLE #1 r326391: Thu Nov 30 12:07:50
CET 2017=20

Regards.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180612160116.58df4001>