Egerváry Gergely
2016-12-30 18:55:33 UTC
Hi,
After upgrading from 6-STABLE to 7-STABLE, my TCP-MD5 protected BGP
setup stopped working.
I have TCP_SIGNATURE in my kernel:
options TCP_SIGNATURE # RFC 2385 support, used with BGP
I have the following entry in ipsec.conf:
add aaa.bbb.ccc.ddd www.xxx.yyy.zzz tcp 0x1000 -A tcp-md5 "password";
where aaa.bbb.ccc.ddd is my local IP and www.xxx.yyy.zzz is the remote
IP.
`setkey -D' output:
aaa.bbb.ccc.ddd www.xxx.yyy.zzz
tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
A: tcp-md5 706f6c31 6a656c73 7a30
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Dec 30 19:40:09 2016 current: Dec 30 19:48:00 2016
diff: 471(s) hard: 0(s) soft: 0(s)
last: Dec 29 20:18:19 2016 hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=23494 refcnt=1
tcpdump does not show any MD5 checksums on outgoing packets:
19:51:11.679566 IP aaa.bbb.ccc.ddd.56368 > www.xxx.yyy.zzz.179: Flags
[S], seq 2207123721, win 32768, options [mss 1460,nop,wscale
3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0
this is an incoming packet from the peer - see the correct checksum:
19:52:53.241773 IP www.xxx.yyy.zzz.65198 > aaa.bbb.ccc.ddd.179: Flags
[S], seq 893043845, win 16384, options [mss 1460,md5valid,eol], length 0
Do I miss something, or is it broken in 7-STABLE?
The very same config used to work in 6-STABLE.
Thanks,
After upgrading from 6-STABLE to 7-STABLE, my TCP-MD5 protected BGP
setup stopped working.
I have TCP_SIGNATURE in my kernel:
options TCP_SIGNATURE # RFC 2385 support, used with BGP
I have the following entry in ipsec.conf:
add aaa.bbb.ccc.ddd www.xxx.yyy.zzz tcp 0x1000 -A tcp-md5 "password";
where aaa.bbb.ccc.ddd is my local IP and www.xxx.yyy.zzz is the remote
IP.
`setkey -D' output:
aaa.bbb.ccc.ddd www.xxx.yyy.zzz
tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
A: tcp-md5 706f6c31 6a656c73 7a30
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Dec 30 19:40:09 2016 current: Dec 30 19:48:00 2016
diff: 471(s) hard: 0(s) soft: 0(s)
last: Dec 29 20:18:19 2016 hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=23494 refcnt=1
tcpdump does not show any MD5 checksums on outgoing packets:
19:51:11.679566 IP aaa.bbb.ccc.ddd.56368 > www.xxx.yyy.zzz.179: Flags
[S], seq 2207123721, win 32768, options [mss 1460,nop,wscale
3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0
this is an incoming packet from the peer - see the correct checksum:
19:52:53.241773 IP www.xxx.yyy.zzz.65198 > aaa.bbb.ccc.ddd.179: Flags
[S], seq 893043845, win 16384, options [mss 1460,md5valid,eol], length 0
Do I miss something, or is it broken in 7-STABLE?
The very same config used to work in 6-STABLE.
Thanks,
--
Gergely EGERVARY
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gergely EGERVARY
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de