Re: 11.2-RC1 setkey invalid spi ?

Patrick Lamaiziere Tue, 12 Jun 2018 07:03:12 -0700

Le Tue, 12 Jun 2018 14:34:47 +0200,
Patrick Lamaiziere <patf...@davenulle.org> a écrit :


Hello

I change the subject because this is not at all related to bird.

> I'm trying Bird 2 on FreeBSD 11.2 using tcp md5 signature for BGP
> connections.
> 
> Bird2 has an option to set the needed ipsec SA/SP but here this does
> not work.
> 
> The first entry (0.0.0.0 129.20.128.78) is correct but the second one
> (129.20.128.78 0.0.0.0) has an invalid spi field (should be 0x1000).
> The spi value changes each time bird runs so it looks uninitialized.
> 
> # setkey -D
> 129.20.128.78 0.0.0.0
>       tcp mode=any spi=131144976(0x07d11d10) reqid=0(0x00000000)
>       A: tcp-md5  32626770 2d313421
>       seq=0x00000000 replay=0 flags=0x00000040 state=mature 
>       created: Jun 12 14:15:50 2018   current: Jun 12 14:24:31
> 2018 diff: 521(s)     hard: 0(s)      soft: 0(s)
>       last:                           hard: 0(s)      soft: 0(s)
>       current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>       allocated: 0    hard: 0 soft: 0
>       sadb_seq=1 pid=49180 refcnt=1
> 0.0.0.0 129.20.128.78
>       tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
>       A: tcp-md5  32626770 2d313421
>       seq=0x00000000 replay=0 flags=0x00000040 state=mature 
>       created: Jun 12 14:15:50 2018   current: Jun 12 14:24:31
> 2018 diff: 521(s)     hard: 0(s)      soft: 0(s)
>       last:                           hard: 0(s)      soft: 0(s)
>       current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>       allocated: 0    hard: 0 soft: 0
>       sadb_seq=0 pid=49180 refcnt=1

Well I can reproduce this problem by using setkey(8) :

/etc/ipsec.conf
add 129.20.128.78 129.20.128.149 tcp 0x1000 -A tcp-md5 "secret";
add 129.20.128.149 129.20.128.78 tcp 0x1000 -A tcp-md5 "secret";

# setkey -D
No SAD entries.

# setkey -f /etc/ipsec.conf
# setkey -D
129.20.128.149 129.20.128.78
        tcp mode=any spi=106079004(0x0652a31c) reqid=0(0x00000000)
        A: tcp-md5  73656372 6574
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: Jun 12 15:57:28 2018   current: Jun 12 15:57:36
2018
        diff: 8(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=5405 refcnt=1
129.20.128.78 129.20.128.149
        tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
        A: tcp-md5  73656372 6574
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: Jun 12 15:57:28 2018   current: Jun 12 15:57:36
2018
        diff: 8(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=5405 refcnt=1

spi field looks wrongs :(

That works fine on FreeBSD 10.3

Same problem on a FreeBSD 11.1-STABLE #1 r326391: Thu Nov 30 12:07:50
CET 2017 

Regards.


_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 11.2-RC1 setkey invalid spi ?

Reply via email to