Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Apr 2004 00:09:51 -0400
From:      "Dan Langille" <dan@langille.org>
To:        freebsd-security@FreeBSD.org
Subject:   IPsec - got ESP going, but not AH
Message-ID:  <40885ECF.22456.1C68F42E@localhost>
next in thread | raw e-mail | index | archive | help 
Hi folks,

I've been working on getting my WiFi network running with IPsec.  I'm 
at the point where all traffic on the wifi subnet is encrypted (i.e. 
ESP).  Then I tried to add AH to the equation.  I failed.

This picture describes the network setup:

  http://beta.freebsddiary.org/images/ipsec-wireless.gif

Here's what I'm trying and failing with.  With these rules, I get no 
comms between the laptop and the gateway.  If I remove the 
"ah/tunnel/..." clauses from the sdpadd statements, everything moves 
along nicely.  What am I missing here?

Any ideas?  Thank you.

rules for the laptop (encrypting + authentication)
add 10.0.0.1  10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1  esp 693 -E rijndael-cbc "1234567890123456";

add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";

spdadd 10.0.0.0/24 0.0.0.0/0  any -P out ipsec
    esp/tunnel/10.0.0.10-10.0.0.1/require
    ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd  0.0.0.0/0 10.0.0.0/24 any -P in  ipsec
    esp/tunnel/10.0.0.1-10.0.0.10/require
    ah/tunnel/10.0.0.1-10.0.0.10/require;
 
rules for the gateway (encrypting + authentication)
add 10.0.0.1  10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1  esp 693 -E rijndael-cbc "1234567890123456";

add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";

spdadd 10.0.0.0/24 0.0.0.0/0   any -P in  ipsec
    esp/tunnel/10.0.0.10-10.0.0.1/require
    ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0   10.0.0.0/24 any -P out ipsec
    esp/tunnel/10.0.0.1-10.0.0.10/require
    ah/tunnel/10.0.0.1-10.0.0.10/require;
-- 
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40885ECF.22456.1C68F42E>