Bug 184545 - net/openbgpd: OpenBGPd fails to initiate TCP MD5 sig connexions
Summary: net/openbgpd: OpenBGPd fails to initiate TCP MD5 sig connexions
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kurt Jaeger
Depends on:
Reported: 2013-12-06 16:20 UTC by anarcat+register
Modified: 2018-01-12 09:04 UTC (History)
4 users (show)

See Also:
pi: merge-quarterly-

file.diff (15.49 KB, patch)
2013-12-06 16:20 UTC, anarcat+register
no flags Details | Diff
OpenBGP port patch for proper tcp md5sig support. (14.33 KB, patch)
2015-01-18 19:34 UTC, eksffa
no flags Details | Diff
Updated patch from pfSense (15.39 KB, patch)
2015-08-20 11:09 UTC, Renato Botelho
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description anarcat+register 2013-12-06 16:20:02 UTC
This stems from a discussion that started here:


Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions.

This was also reported here first:


Fix: The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached.

Patch attached with submission follows:
How-To-Repeat: Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such:

add -n tcp 0x1000 -A tcp-md5 "[...]";
add -n tcp 0x1000 -A tcp-md5 "[...]";

and with the following kernel config:

options   IPSEC        #IP security
device    crypto
options         DEVICE_POLLING
device          carp

It will work with netcat:

nc -v -S 179

.. but not with openbgpd.
Comment 1 Edwin Groothuis freebsd_committer 2013-12-06 21:35:14 UTC
Responsible Changed
From-To: freebsd-ports-bugs->hrs

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 eksffa 2015-01-18 19:34:31 UTC
Created attachment 151804 [details]
OpenBGP port patch for proper tcp md5sig support.

Here is an updated patch against the most recent version of the port. Fully functional, tested w/ MD5 signed BGP session against Cisco iOS, Mikrotik RouterOS and Juniper. Production running for a week now.
Comment 3 anarcat+register 2015-03-26 02:08:54 UTC
i can confirm this patch works. we have been using this in production since january without problems.

Comment 4 Renato Botelho freebsd_committer 2015-06-03 13:22:28 UTC
files/patch-openbsd-compat_pfkey_compat.c can be removed from port since it's not going to be used anymore
Comment 5 Renato Botelho freebsd_committer 2015-08-20 11:09:51 UTC
Created attachment 160135 [details]
Updated patch from pfSense

This is the last version of the patch used by pfSense for years. I also removed patch-openbsd-compat_pfkey_compat.c since it's not used anymore and bumped PORTREVISION
Comment 6 Myke G 2016-10-14 09:09:51 UTC
Just compiled & tested against 10.3 and 11p1 and it works. Important to note that the local-address needs to be set in the neighbor config stanza, and not to use the "other" method w/IPSEC & setkey outside of bgpd.conf. (That method also has problem of SYNs not being signed, so you can't initiate a connection to an MD5 peer in passive mode.)
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-14 09:14:36 UTC
Maintainer timeout (2 years 9 months), implicit approval.

Pending QA across supported FreeBSD versions, but we have enough people confirming this patch works to progress.
Comment 8 Kurt Jaeger freebsd_committer 2018-01-12 09:04:04 UTC
Testbuilds are fine, committed, thanks!
Comment 9 commit-hook freebsd_committer 2018-01-12 09:04:17 UTC
A commit references this bug:

Author: pi
Date: Fri Jan 12 09:03:50 UTC 2018
New revision: 458810
URL: https://svnweb.freebsd.org/changeset/ports/458810

  net/openbgpd: Add patches to allow use of TCPMD5 options

  - For additional details, see this post from 2013:
  - Please note that this patch is used by pfsense
  - related changes in the base system have already been integrated, see

  PR:		184545
  Submitted by:	anarcat@koumbit.org, eksffa@freebsdbrasil.com.br, garga@FreeBSD.org
  Reviewed by:	mykel@mware.ca
  Approved by:	hrs (maintainer timeout)