>Number:         29915
>Category:       bin
>Synopsis:       Can't setkey for tcp-md5 anymore
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 07 12:30:00 +0000 2005
>Originator:     Peter Eisch
>Release:        3.99.3
>Organization:
>Environment:
NetBSD thumper 3.99.3 NetBSD 3.99.3 (PETER-FW) #1: Mon Apr  4 10:35:24 CDT 2005  peter@thumper:/builds/current/i386/obj/builds/current/src/sys/arch/i386/compile/PETER-FW i386

>Description:
At one point, with -current last summer I could add TCP_SIGNATURE tags on a session, but I can't anymore.  The entries in /etc/ipsec.conf looked like:

add a.a.a.a b.b.b.b tcp 0x1000 -A tcp-md5 "foobar" ;
add b.b.b.b a.a.a.a tcp 0x1000 -A tcp-md5 "foobar" ;

The current outcome is a failure:

slink# setkey -f /tmp/sk
line 1: syntax error at [tcp]
parse failed, line 1.
slink# 

>How-To-Repeat:
Create a small file with two rules similar to that in the description and apply the keys.
>Fix:
While I don't have impressive yacc/lex skills, it appears that ipsec-tools lacks the support for using TCP as a protocol.  It does appear to have fragments of the tcp-md5 algorithm -- it appears that it would allow the configuration of the algorithm.