https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218907
Bug ID: 218907
Summary: tcpmd5 kernel module on STABLE/11 doesn't work with
vultr bgp via bird
Product: Base System
Version: 11.0-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: freebsd-b...@joe.mulloy.me
Hello,
I have setup some servers on the cloud provider Vultr and I have set up a
floating IP for load balancing/high availability via BGP. Vultr's BGP system
requires using an MD5 TCP signature which before r313330 in current and r315514
in stable/11 was not available as a module and required compiling a custom
kernel with the TCP_SIGNATURE option enabled. I prefer to be able to just use
freebsd-update so I found this quite inconvenient, but I am dealing with
compiling and distributing a custom kernel anyways. However with this kernel my
servers keep freezing with no useful error message which is incredibly
frustrating. I figured that perhaps now that this functionality has been
getting some work that whatever bug I'm hitting may be fixed in STABLE/11. So I
tried using the kernel in the snapshot tarball for STABLE/11, but it's lacking
the IPSEC_SUPPORT option, so I still have to compile my own kernel for the
tcpmd5 module to load/work. I've done this, I have built the STABLE/11 kernel
from r317316 and the module loads and bird doesn't complain about the TCP MD5
feature being missing. However BIRD isn't able to actually establish a
connection to the other end, so it seems the TCP MD5 feature is now broken. I
haven't upgraded my userland, it's still 11.0-RELEASE-p9 but I believe it
should still work fine on an 11/STABLE kernel.
Perhaps I'm doing something wrong here, but I can't figure out a working
solution and I can't find any documentation. It seems this md5 tcp signature
feature is rarely used and hard to even turn on.
Please let me know what I can do to assist in debugging these issues. I'm glad
that tcp md5 signatures will finally be easy to enable. I hope it won't be to
hard to get this fixed.
Issues:
1. IPSEC_SUPPORT still not enabled in GENERIC kernel, so I still have to
compile my own kernel for the tcpmd5 kernel module to actually work
2. The tcp md5 signature feature doesn't seem to work, the other end rejects my
server as if I had the wrong password.
Vultr BGP Guide:
https://www.vultr.com/docs/high-availability-on-vultr-with-floating-ip-and-bgp
Bug tracking the splitting of ipsec and tcp md5 to seperate kernel modules.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212018
Bird output showing that BGP session can't be established.
root@vps-vu-nj-1b:~ # birdc show proto all vultr
BIRD 1.6.3 ready.
name proto table state since info
vultr BGP master start 05:14:24 Connect Socket: Connection
refused
Preference: 100
Input filter: REJECT
Output filter: ACCEPT
Routes: 0 imported, 0 exported, 0 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 0 0 0 0 0
Import withdraws: 0 0 --- 0 0
Export updates: 0 0 0 --- 0
Export withdraws: 0 --- --- --- 0
BGP state: Connect
Neighbor address: 169.254.169.254
Neighbor AS: 64515
Last error: Socket: Connection refused
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
