This stems from a discussion that started here:
Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions.
This was also reported here first:
Fix: The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached.
Patch attached with submission follows:
How-To-Repeat: Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such:
add -n 220.127.116.11 18.104.22.168 tcp 0x1000 -A tcp-md5 "[...]";
add -n 22.214.171.124 126.96.36.199 tcp 0x1000 -A tcp-md5 "[...]";
and with the following kernel config:
options IPSEC #IP security
It will work with netcat:
nc -v -S 10.0.0.2 179
.. but not with openbgpd.
Over to maintainer (via the GNATS Auto Assign Tool)
Created attachment 151804 [details]
OpenBGP port patch for proper tcp md5sig support.
Here is an updated patch against the most recent version of the port. Fully functional, tested w/ MD5 signed BGP session against Cisco iOS, Mikrotik RouterOS and Juniper. Production running for a week now.
i can confirm this patch works. we have been using this in production since january without problems.
files/patch-openbsd-compat_pfkey_compat.c can be removed from port since it's not going to be used anymore
Created attachment 160135 [details]
Updated patch from pfSense
This is the last version of the patch used by pfSense for years. I also removed patch-openbsd-compat_pfkey_compat.c since it's not used anymore and bumped PORTREVISION
Just compiled & tested against 10.3 and 11p1 and it works. Important to note that the local-address needs to be set in the neighbor config stanza, and not to use the "other" method w/IPSEC & setkey outside of bgpd.conf. (That method also has problem of SYNs not being signed, so you can't initiate a connection to an MD5 peer in passive mode.)
Maintainer timeout (2 years 9 months), implicit approval.
Pending QA across supported FreeBSD versions, but we have enough people confirming this patch works to progress.
Testbuilds are fine, committed, thanks!
A commit references this bug:
Date: Fri Jan 12 09:03:50 UTC 2018
New revision: 458810
net/openbgpd: Add patches to allow use of TCPMD5 options
- For additional details, see this post from 2013:
- Please note that this patch is used by pfsense
- related changes in the base system have already been integrated, see
Submitted by: email@example.com, firstname.lastname@example.org, garga@FreeBSD.org
Reviewed by: email@example.com
Approved by: hrs (maintainer timeout)