OpenBGPD MD5 Password doesn't work

  • Has anybody else managed to get BGP with MD5 passwords (Cisco style) working?
    From what I can see this problem was brought up a while ago and dismissed as a FreeBSD problem.  I've also noticed similar messages pop up with IPSEC tunnels (likely due to the same problem) which makes me wonder why this hasn't been looked at  ???

    This is the error I get:

    bgpd[xxxx]: no kernel support for PF_KEY

    Surely this shouldn't be a problem still.  It seems it can be fixed by recompiling the kernel with the TCP_SIGNATURE option.  I'd really like to get this working as I want to move some core firewall/routers to pfsense for it's ease of use, but without BGP+Password support it can't really happen.  I've noticed that there is also a Quagga OSPF package in the package list.  Does anybody have any experience with trying to rig it to do BGP as well (and whether it still has the PF_KEY issues)?

    See here:

    It's referenced in an old 1.2.3RC1 tread here:

  • AFAIK, all the support is there and i put the md5 support on openbgp so it works.

  • @ermal:

    AFAIK, all the support is there and i put the md5 support on openbgp so it works.

    Can anyone confirm a working md5-password setup with the OpenBGPD on PfSense 2.0.1?

    Is this using the GUI form to input the key or manually configured?  I've tried the GUI, editing the config manually, running the OpenBGPD daemon manually and also manually using "setkey" to create the keys just in case.  Something to note, is whenever OpenBGPD is initialised, in the logs it says "pfkey not available".

    Other than that, I'm still getting "pfkey setup failed" errors when trying to connect.  In this case it's my PfSense box connecting to a Juniper router via a PPPOE connection with multihop (BGP router is 2 hops).  There are no routing problems as ping to the BGP neighbor is fine and I've confirmed the password to be sure.

    Everything I can find on the net (and there's very little) suggests the kernel module problem as linked.

    Also, if I do a "sysctl -a" the "net.inet.tcp.signature_verify_input=0" setting regarding the PFKey module and TCP MD5 connections is missing.
    I've currently setup the PfSense Development OVA and will recompile the whole lot with the PFKey module in to test.  Needless to say, it will take a while though.  This could probably fix the IPSEC errors which are dependant on PFKEY as well.

    Also, the OpenBGPD package doesn't log anywhere.  I setup a manual "all.log" file in the syslogd.conf to capture bgpd info (setting gets wiped on reboot though).  This should probably be added so that it logs to system.log.

  • I've never got the passwords working despite a lot of trying and in the end we gave up on trying to get BGP working acceptable on PFSense with full internet routing tables.
    We now use the BSD Router Project (BSDRP) which uses Quagga and Bird and it does the job nicely and sits infront of the firewalls.

    I've not had a chance to try the Quagga package on PFSense in anger yet but it's on my todo list for next week when I set up a new internet transit pipe for a site. If you want I can post the outcome here or you can PM me.

    Personally I think the lack of logging is a plus. It stops people who don't have a full understanding of just how much data they will capture from killing the pfsense box or the syslog server.

  • Hi,
    Same problem here.
    Since upgrading to 2.1-DEVELOPMENT (amd64), built on Fri Mar 23 22:35:08 EDT 2012 I also need to use the "net.inet.tcp.signature_verify_input" trick, otherwise bgpd will not communicate. It never worked with password in the configuration, either TCP-MD5 key or password.


Log in to reply