IPsec - got ESP going, but not AH
Dan Langille
dan at langille.org
Fri Apr 23 07:39:50 PDT 2004
On 23 Apr 2004 at 8:02, Greg Troxel wrote:
> While this should probably work, it's more straightforward to use ESP
> with integrity protection. That is, use a -A hmac-sha1 argument also
> to ESP. (hmac-md5 is probably still fine, but sha1 goes better
> strength-wise with rijndael-cbc.)
Thank you for your suggestions. Based on that, I've tried the
following, which works for me:
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-
10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-
10.0.0.10/require;
Cheers
--
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/
More information about the freebsd-security
mailing list