Leo, Thanks for answer.
As for 11.1 IPSEC is already enabled in GENERIC, so I had to add only TCP_SIGNATURE. After I'd installed new kernel, BGP auth started working without adding ipsec-related stuff to rc.conf or altering setkey.conf > On 23 Mar 2018, at 15:37, Leo Vandewoestijne <[email protected]> wrote: > > On Fri, 23 Mar 2018, Peter Andreev wrote: > >> Is it still necessary to build custom kernel to get md5 auth working? >> > I'm pretty sure, yes. > The only way I got it working in 11.1 i.c.w. 1.6.x was: > > # kernel config > options IPSEC > options TCP_SIGNATURE > > # /etc/rc.conf > ipsec_enable="YES" > ipsec_program="/sbin/setkey" > ipsec_file="/etc/setkey.conf" > > # /etc/setkey.conf > flush; # useful when running mutations manually > spdflush; # useful when running mutations manually > add -4 12.34.56.6 12.34.56.7 tcp 0x1000 -A tcp-md5 > "teNp8XUrZtNteNjbep68jXgUGroZtUN"; > add -4 12.34.56.7 12.34.56.6 tcp 0x1000 -A tcp-md5 > "teNp8XUrZtNteNjbep68jXgUGroZtUN"; > > And initially nothing in bird.conf (just like I did in OpenBGPd in the > pre-Bird era). > But suddenly -about a year ago- at one Asian location I needed the password > option in bird.conf. > > I however do see a setkey patch in the current 1.6.4 port, so I don't know > what has changed there. > I have not used that, as I migrated to 2.0.x, which offered a password option > in bird.conf: > > # bird.conf - at the BGP protocol: > password "teNp8XUrZtNteNjbep68jXgUGroZtUN"; > > So the intented design was to only need it in bird.conf, > but in reality I now only got it working when setting it both in setkey.conf > and in bird.conf > > Clearly things have changed, somewhere in 11.1. > I already noticed IPSEC_NAT_T was removed (which was useful on vlan) > https://svnweb.freebsd.org/base/stable/11/sys/modules/tcp/tcpmd5/Makefile?view=log&pathrev=315514 > So this week I puzzled some more after having IPSEC_SUPPORT added to the > kernel. > > But so far I did not witness any difference, so I'm still with the double > config - not a real issue; it works fine. > > > So I continued with finding out the correct restrictions/permissions in PF. > For clarity; the double config "problem" is unrelated to firewalling - I did > pretty much all of my testing without. > I don't wish to threadjack yet, with something in fact unrelated to Bird, but > once your problem is solved I'd like to bring that question up. > > > Feel free to contact me off list in case you feel any need to. > > > -- > > Met vriendelijke groet, > With kind regards, > > > Leo Vandewoestijne > <***@dns.company> > <www.dns.company> -- Peter Andreev MSK-IX/RIPN +7 (495) 737-0685 DNS Network Operational Center +7 (499) 192-9179
