In message <20040523011144.GA5956@boogers.sf.ca.us>Jeff Rizzo writes
>So, I've only just found the time to start playing with the new RFC2385
>code (thanks a TON for porting it to Jonathan Stone), and, naturally
>there are some problems.  I'm using Bruce M. Simpson's patches to
>quagga 0.96.4, and attempting to peer with a Cisco router.  For those
>interested, his patches to quagga are here:
>http://people.freebsd.org/~bms/dump/quagga-tcpmd5/

Jeff,

Thanks for taking the time to test this. Sorry to hear it didn't
work for you.

I haven't had time to look into tcp_signatures since I initially
committed a port of the FreeBSD code. I do a quick implementation of
 receive-side  verification of the MD5 sums; but my  available time
for NetBSD hacking has been taken up with 2.0  release issues. 

The reference-counting in the initial commit was all borked up.
someone (Itojun?)  reworked the initial commit to work with KAME
IPsec, and make some considerable improvements in the key handling;
but clearly never even tried compiled those changes with FAST_IPSEC
(as the two or three unused variables show).

All I can tell you is that the initial FAST_IPSEC code did work, using
a modified ttcp with command-line switches to set the TCP_MD5 setsockopt().

Since I dont have a Cisco to play with, all I can do is try the same
modified ttcp, between two *BSD machines, later this week.