Re: OpenBGPD, Cisco and md5 passwords

[Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>]

Hi,

* Jon Morby <jon_(_at_)_fido_(_dot_)_net> [2005-02-17 17:09]:
> We're peering with about 30 peers, mainly on net but a couple sending a 
> full routing table ... all's working fine, and over half of them have 
> md5 passwords configured of varying lengths (from 6 to 18 chars)
> 
> However ... we have a couple of peers at least one of whom is using 
> Cisco 7204VXR routers running IOS 12.2.17 who we just can't get an md5 
> session configured with.
> 
> The logs their end just show "No MD5"
> 
> Is this a known issue, or is there anything further I / we can do to 
> help fix it ?
> 
> Remove the md5sig passwords from both sides and we get a session

I do have active md5sig'd sessions on -current to juniper and cisco - 
one peer is a 7206VXR even, so it is definately not a known issue :)

you mentioned the password length - 6 is completely inacceptable too 
short of course :). Just to make sure: how long is the md5sig password 
for the cisco session that dies? cisco has a very annoying bug, they 
silently truncate the passwords to 40 (I think it was 40, might 
have been a bit less even) chars - if the pasword is longer and the other 
side does not have this stupid bug and thus does not truncate the 
passwords mismatch of course.

if it isn't that I'd watch bgpd setting things up using 
  # ipsecadm monitor
and, failing to see anything there, tcpdump.

-- 
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)