[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

Nigel Sheridan-Smith wtfiwtz at gmail.com
Fri Jul 29 08:49:37 EST 2011


> http://lartc.org/howto/lartc.ipsec.html#LARTC.IPSEC.INTRO
>>
>
> I found and read that link in my travels while trying to diagnose this
> problem last night.
>
> Here's the output from the diagnostics utility it mentions. I've checked
> and double-checked my SA/SP configurations, and I'm pretty sure they're
> correct (although obviously something is wrong -- somewhere).
>
>

I'd do the following:
- configure and test with ESP only
- configure and test with AH only
- combine the two

The example below only uses one line for "spdadd"... check also that you
have got the correct swapping of the IP addresses.

It is also recommended to apply AH after ESP, not sure why. In your case,
you have done AH first.

Configuration examples: host-to-host encryption+authentication
(top<http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ>)


If you configure secret keys for both AH and ESP, you can use both of them.
IPsec document suggests to apply AH after ESP.

#! /bin/sh
#
# packet will look like this: IPv4 AH ESP payload
# the node is on 10.1.1.1, peer is on 20.1.1.1
setkey -c <<EOF
add 10.1.1.1 20.1.1.1 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
add 20.1.1.1 10.1.1.1 esp 10000 -E 3des-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 10.1.1.1 20.1.1.1 ah 9877 -A hmac-md5 "hogehogehogehoge";
add 20.1.1.1 10.1.1.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
spdadd 10.1.1.1 20.1.1.1 any -P out ipsec esp/transport//use ah/transport//use;
EOF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://progsoc.org/pipermail/progsoc/attachments/20110729/1d745b57/attachment.html>


More information about the Progsoc mailing list