Created attachment 232630 [details] Suggested patch Setup: I run BGP with md5 passwords, using setkey and ipsec.conf. With FreeBSD-13 this configuration fail to work. from logfile: kernel: Feeding entropy: . kernel: Installing ipsec manual keys/policies. kernel: The result of line 1: Invalid argument. kernel: The result of line 2: Invalid argument. kernel: The result of line 3: Invalid argument. kernel: The result of line 4: Invalid argument. kernel: Loading kernel modules: /etc/ipsec.conf: add 185.XXX.XXX.15 185.XXX.XXX.130 tcp 0x1000 -A tcp-md5 "password"; add 185.XXX.XXX.130 185.XXX.XXX.15 tcp 0x1000 -A tcp-md5 "password"; add 185.XXX.XXX.15 185.XXX.XXX.129 tcp 0x1000 -A tcp-md5 "password"; add 185.XXX.XXX.129 185.XXX.XXX.15 tcp 0x1000 -A tcp-md5 "password"; /etc/rc.conf: ipsec_file="/etc/ipsec.conf" ipsec_enable="YES" kld_list="netgraph tcpmd5 ng_ether ng_pppoe ng_socket ng_mppc ng_ppp ng_tee ng_tcpmss" # service -l | egrep 'ipsec|kld' ipsec kld kldxref Workaround after reboot I run: # /etc/rc.d/ipsec start Suggested fix: Change the Starting order. Patching /etc/rc.d/ipsec solves the problem: # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | egrep 'ipsec|kld' /etc/rc.d/kldxref /etc/rc.d/kld /etc/rc.d/ipsec start ipsec after
Seems reasonable. We already set required_modules=ipsec, but that doesn't seem like the right approach for tcp-md5...?