Hi Stuart, Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?.
You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth! Thanks Darren On 22 February 2017 at 12:41, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017/02/21 16:01, Darren Marshall wrote: > > > > I'm googling like crazy and can't seem to find an example of how to > > configure MD5 authentication between BGP peers using Bird running on > > OpenBSD, does someone out there have a guide for this? The Bird config > > is straightforward but I'm missing the 'glue' at the OS level! Also > > does anyone know if the stock Generic kernel supports TCP MD5 > > signatures out of the box (OpenBSD 6.0) , looking at the kernel config > > file it would appear it has the option compiled in , anyone know how to > > check?. > > > > Many thanks in advance! > > > > daz > > > > Some general information about TCP MD5 on OpenBSD: > > - The stock kernel _does_ have this compiled in. > > - The listening socket needs to use setsockopt TCP_MD5SIG. > > - SAs should be setup for peers with whom you want to use MD5. If an > incoming connection matches an SA but does not have valid MD5 it will be > rejected. Connections from other addresses will be allowed. OpenBGPd does > this automatically. > > Regarding BIRD: > > - The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h > (including for OpenBSD) so in theory it would be possible to configure > TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in > /etc/ipsec.conf), but it's inconvenient to configure this separately. > Also it appears that it wants a raw key (so the usual "md5 password" > would need to be converted manually for this). > > - BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on > FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD > (it might be helpful to xref with OpenBGP's pfkey.c) and there's an > #ifdef in sysdep/bsd/sysio.h that would need changing. > > Having just had a quick play with the ipsecctl bits and not getting it > to work that way, adapting setkey.h definitely has to be the saner route. > >
