Hi there, Le 16 mai 2010 ` 14:26, Claudio Jeker a icrit :
> On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: >> Hi Stuart, >> >> Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : >> >>> On 2010-05-15, Xavier Beaudouin <[email protected]> wrote: >>>> Hello, >>>> >>>> I am running OpenBSD 4.7-current, and it seems I have some problems to >>>> negociate tcp md5 bgp session... They doesn't seems at all to wake up, I >> have >>>> connection timeout... or what ever. >>> >>> Please show ipsecctl -sa and netstat -rnfencap >> >> # netstat -rnfencap >> Routing tables >> (empty) >> >> # ipsecctl -sa >> FLOWS: >> No flows >> >> SAD: >> tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 >> tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd >> tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 >> tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b >> tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e >> tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 >> tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 >> tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 >> tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f >> tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 >> tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 >> tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 >> tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca >> tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 >> tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 >> tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 >> tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da >> tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a >> >> >> The .120 is my IP :p >> >>> I have md5 working with a kernel from April 28th and an absolutely >>> -current bgpd, and also with the version from the Apr 28th snapshot, >>> so I don't think there is a general problem with the code you're >>> running. >> >> I'm allmost sure there is no problems... I still try to find where is it the >> problem :( >> >> If you have any hints.. I'm be happy to apply them... > > Did it work before the update with that peer? > Most of the time the problem is different passwords or some other > misconfiguration. TCP MD5 is an ugly hack that has some nasty > ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Hum, this is strange, in fact all tcp md5 sessions doesn't work at all. I can give you access to this router if you like Claudio... :) Xavier > Normaly the best is to turn of md5 and check that the session works. Then > enabling md5 or use ttl-security. > -- > :wq Claudio
