Doug Barton <do...@freebsd.org> wrote in <4f036a7f.9030...@freebsd.org>:
do> This patch works even if net.inet.tcp.signature_verify_input=1. If I do> turn that sysctl off on both sides they can talk to each other even do> without the patch. So that would definitely seem to indicate that the do> tcp_signature stuff is the source of the problem. do> do> What unfortunately did not work is configuring signatures on both sides. do> With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig do> option in both bgpd.conf files, we got the same result as before, no do> communication between them. When -HUP'ing and/or restarting openbgpd do> with the tcp md5sig option enabled we get "pfkey setup failed." do> do> So, "working iBGP + no signatures" is a good next step. "iBGP + do> signatures" would be an even better one. :) We're happy to test more do> patches, etc.; and thanks again to everyone who has responded so far. Okay, thank you for your report. I will take some time to fix TCP_MD5SIG support in openbgpd and inform you when another patch is ready. -- Hiroki
pgpPR2vhn4hcv.pgp
Description: PGP signature
