Date: Sun, 21 Sep 2014 13:44:49 -0500 From: Jim Thompson <jim@netgate.com> To: =?utf-8?Q?Olivier_Cochard-Labb=C3=A9?= <olivier@cochard.me> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "Paul S." <contact@winterei.se> Subject: Re: IP fast forwarding and setkey Message-ID: <2F5CE512-4C4F-4D6B-A6DA-C349CF75C54D@netgate.com> In-Reply-To: <CA%2Bq%2BTcpygKBrDjnS1_-JeXxeQeH=YqAjY9qjJpEPXKTGOXBt%2BQ@mail.gmail.com> References: <541EA396.7050201@winterei.se> <CA%2Bq%2BTcpygKBrDjnS1_-JeXxeQeH=YqAjY9qjJpEPXKTGOXBt%2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sep 21, 2014, at 10:41, Olivier Cochard-Labb=C3=A9 <olivier@cochard.me>= wrote: >=20 >> On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact@winterei.se> wrote: >>=20 >> Hi folks, >>=20 >> I plan to make an edge router out of a freebsd system with OpenBGPD + >> FreeBSD 10, or such. >>=20 >> I've been reading up, and noticed that the net.inet.ip.fastforwarding fla= g >> provides rather nice performance benefits. >>=20 >> My issue is, my upstream networks insist on using TCP MD5 authentication >> on their BGP sessions. >>=20 >> This is fine, except on FreeBSD -- I'm going to have to use the setkey >> utility to set those since native PF_KEY support for OpenBGPD does not se= em >> available. >>=20 >> Now, since setkey is part of IPSec, and there are countless warnings abou= t >> using IPSec and fastforwarding together in the manpage, am I correct in >> assuming that this will not work if I have fastforwarding enabled? >>=20 >> Is there any way to make it work? Quagga, from what I've read, seems to >> also be in the same boat (Usage of setkey required for TCP MD5). > fastforwarding is not compatible with IPSec only but can be used with > TCP_MD5 without problem (tested on FreeBSD 10-stable). Even this is solvable, and will likely occur in a future version of pfSense.= =20 Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F5CE512-4C4F-4D6B-A6DA-C349CF75C54D>