On Jan 4, 2012, at 3:42 PM, sth...@nethelp.no wrote:

>> You are setting the keys with setkey for both directions of a single 
>> session, right?
>> i.e.:
>> 
>>  add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass";
>>  add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass";
>> 
>> As before it was only needed to set the "outgoing" direction key, which 
>> should not work anymore unless 
>> net.inet.tcp.signature_verify_input is zero.
> 
> Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only
> one line in /etc/ipsec.conf for each BGP session using MD5 keys, on
> 8.2-STABLE.
> 
> Steinar Haug, Nethelp consulting, sth...@nethelp.no

Hmm, you are right, it seems that my second SAD entries are not used at all.
However I'm now running with net.inet.tcp.signature_verify_input = 0, because 
if I set it to 1
the BGP sessions to my other FreeBSD routers disconnect. (and that is running 
Quagga).
Am I the only one who sees this running Quagga? One difference probably is that 
I have both TCP-MD5 protected
sessions and ones that are not. And the not protected sessions fail if I start 
checking ingress tcp signatures.

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to