Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Peter Eisch <peter@boku.net>
List: netbsd-bugs
Date: 04/09/2005 16:56:01
The following reply was made to PR bin/29915; it has been noted by GNATS.
From: Peter Eisch <peter@boku.net>
To: Emmanuel Dreyfus <manu@netbsd.org>, <gnats-bugs@netbsd.org>
Cc:
Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
Date: Sat, 09 Apr 2005 11:55:25 -0500
This is good. I've got i386 and sparc64 (just for endian testing) working
with a cisco but there's an odd nuance. The initial SYNs originated from
NetBSD don't have the tcp-md5 auth in them. If the cisco originates with a
SYN (with the tcp-md5) NetBSD will SYN-ACK with the tcp-md5 auth.
Beyond this detail, I'm ready to give it some load testing and then look at
what it takes to add/delete keys dynamically. Should calls like OpenBSDs
work with this libipsec?
NetBSD trying to initiate:
11:16:47.800946 IP netbsd.62994 > cisco.179: S 4036427276:4036427276(0) win
32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
11:16:53.800044 IP netbsd.62994 > cisco.179: S 4036427276:4036427276(0) win
32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 12 0>
11:17:05.800125 IP netbsd.62994 > cisco.179: S 4036427276:4036427276(0) win
32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 36 0>
11:17:29.800063 IP netbsd.62994 > cisco.179: S 4036427276:4036427276(0) win
32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 84 0>
Cisco trying to initiate:
11:17:56.263461 IP cisco.11024 > netbsd.179: S 3464436573:3464436573(0) win
16384 <mss 516,tcpmd5:ad199638cdf46f15c38b36b7c90d6da5,eol>
11:17:56.263683 IP netbsd.179 > cisco.11024: S 2051291791:2051291791(0) ack
3464436574 win 32768 <mss
1460,tcpmd5:397ab8b3fc8443aaa45a1c855d7d5f7d,nop,eol>
11:17:56.265040 IP cisco.11024 > netbsd.179: . ack 1 win 16384
<tcpmd5:e36f1d45a141a45d4138177d0a2644e3,eol>
11:17:56.267040 IP cisco.11024 > netbsd.179: P 1:46(45) ack 1 win 16384
<tcpmd5:b6c32152bded65ef6e3c6b1136142d38,eol>: BGP, length: 45
11:17:56.267251 IP netbsd.179 > cisco.11024: P 1:22(21) ack 46 win 33580
<tcpmd5:6f0eb4c4fcc14f032caa56fade7b24ff,nop,eol>: BGP, length: 21
Many thanks,