This stems from a discussion that started here: http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions. This was also reported here first: http://lists.freebsd.org/pipermail/freebsd-net/2012-January/030921.html Fix: The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached. Patch attached with submission follows: How-To-Repeat: Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such: add -n 38.104.152.101 38.104.152.102 tcp 0x1000 -A tcp-md5 "[...]"; add -n 38.104.152.102 38.104.152.101 tcp 0x1000 -A tcp-md5 "[...]"; and with the following kernel config: options IPSEC #IP security options TCP_SIGNATURE device crypto options DEVICE_POLLING device carp It will work with netcat: nc -v -S 10.0.0.2 179 .. but not with openbgpd.
Responsible Changed From-To: freebsd-ports-bugs->hrs Over to maintainer (via the GNATS Auto Assign Tool)
Created attachment 151804 [details] OpenBGP port patch for proper tcp md5sig support. Here is an updated patch against the most recent version of the port. Fully functional, tested w/ MD5 signed BGP session against Cisco iOS, Mikrotik RouterOS and Juniper. Production running for a week now.
i can confirm this patch works. we have been using this in production since january without problems. thanks!
files/patch-openbsd-compat_pfkey_compat.c can be removed from port since it's not going to be used anymore
Created attachment 160135 [details] Updated patch from pfSense This is the last version of the patch used by pfSense for years. I also removed patch-openbsd-compat_pfkey_compat.c since it's not used anymore and bumped PORTREVISION
Just compiled & tested against 10.3 and 11p1 and it works. Important to note that the local-address needs to be set in the neighbor config stanza, and not to use the "other" method w/IPSEC & setkey outside of bgpd.conf. (That method also has problem of SYNs not being signed, so you can't initiate a connection to an MD5 peer in passive mode.)
Maintainer timeout (2 years 9 months), implicit approval. Pending QA across supported FreeBSD versions, but we have enough people confirming this patch works to progress.
Testbuilds are fine, committed, thanks!
A commit references this bug: Author: pi Date: Fri Jan 12 09:03:50 UTC 2018 New revision: 458810 URL: https://svnweb.freebsd.org/changeset/ports/458810 Log: net/openbgpd: Add patches to allow use of TCPMD5 options - For additional details, see this post from 2013: http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html - Please note that this patch is used by pfsense - related changes in the base system have already been integrated, see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220170 PR: 184545 Submitted by: anarcat@koumbit.org, eksffa@freebsdbrasil.com.br, garga@FreeBSD.org Reviewed by: mykel@mware.ca Approved by: hrs (maintainer timeout) Changes: head/net/openbgpd/Makefile head/net/openbgpd/files/patch-bgpd_Makefile head/net/openbgpd/files/patch-bgpd_pfkey.c head/net/openbgpd/files/patch-bgpd_session.c head/net/openbgpd/files/patch-openbsd-compat_pfkey_compat.c