On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: > Hi Stuart, > > Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : > > > On 2010-05-15, Xavier Beaudouin <k...@oav.net> wrote: > >> Hello, > >> > >> I am running OpenBSD 4.7-current, and it seems I have some problems to > >> negociate tcp md5 bgp session... They doesn't seems at all to wake up, I > have > >> connection timeout... or what ever. > > > > Please show ipsecctl -sa and netstat -rnfencap > > # netstat -rnfencap > Routing tables > (empty) > > # ipsecctl -sa > FLOWS: > No flows > > SAD: > tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 > tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd > tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 > tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b > tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e > tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 > tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 > tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 > tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f > tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 > tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 > tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 > tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca > tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 > tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 > tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 > tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da > tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a > > > The .120 is my IP :p > > > I have md5 working with a kernel from April 28th and an absolutely > > -current bgpd, and also with the version from the Apr 28th snapshot, > > so I don't think there is a general problem with the code you're > > running. > > I'm allmost sure there is no problems... I still try to find where is it the > problem :( > > If you have any hints.. I'm be happy to apply them...
Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
