From owner-freebsd-security Fri Mar 9 4:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B0FAB37B719 for ; Fri, 9 Mar 2001 04:11:08 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id VAA01512; Fri, 9 Mar 2001 21:10:32 +0900 (JST) To: "ho-sang, yoon" Cc: misc@openbsd.org, freebsd-security@freebsd.org In-reply-to: tsoi's message of Fri, 09 Mar 2001 20:05:47 JST. <20010309200546.A1386@xocah.holywar.net> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPsec between OpenBSD and FreeBSD From: itojun@iijlab.net Date: Fri, 09 Mar 2001 21:10:31 +0900 Message-ID: <1510.984139831@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Sorry for second question today, >I tried this for entire day, but there's no light on me. >Changed algorithm, changed key, ... but all was a vain. >Can anybody help me out? (I tried manual keying not using racoon or isakmpd) > >First, just AH, > >o. in OpenBSD > >ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm new ah -spi 3e9 -dst a.a.a.a -src b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm flow -dst b.b.b.b -proto ah -addr a.a.a.a \ >255.255.255.255 b.b.b.b 255.255.255.255 -out -require >ipsecadm flow -dst a.a.a.a -proto ah -addr b.b.b.b \ >255.255.255.255 a.a.a.a 255.255.255.255 -in -require > > >o. in FreeBSD > >add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; >add a.a.a.a b.b.b.b ah-old 4096 -A keyed-md5 "1234567890123456"; >spdadd b.b.b.b a.a.a.a any -P out ipsec \ >ah/transport/b.b.b.b-a.a.a.a/require; >spdadd a.a.a.a b.b.b.b any -P in ipsec \ >ah/transport/a.a.a.a-b.b.b.b/require; the key to IPsec configuration is to use EXACTLY the same configuration on both ends. if there's any difference, you have no chance to make them interoperate. there are three mistakes at least: - openbsd side is using new AH (RFC2402), while freebsd side is using old AH (RFC1826). i suggest you to use new AH for both ends. - openbsd side is using sha1 (= hmac-sha1) and freebsd side is using keyed-md5. you can pick either of them, but you really need to use the same thing for both ends. - key does not match in both ends. FreeBSD key in the above is ascii string, which would be 0x31323334... if written in binary form. openbsd side uses binary form. you need to use the same value, as binary. the easiest way is to use hexadecimal form for both ends, like: openbsd: -key 1234567890123456789012345678901234567890 freebsd: -A hmac-sha1 0x1234567890123456789012345678901234567890 i omit the analysis for esp case. carefully check if ALL the configuration items are the same, and if not, change them so that they meet up. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message