Date: Fri, 23 Apr 2004 10:39:49 -0400 From: "Dan Langille" <dan@langille.org> To: Greg Troxel <gdt@ir.bbn.com> Cc: freebsd-security@FreeBSD.org Subject: Re: IPsec - got ESP going, but not AH Message-ID: <4088F275.17020.1EA9BE84@localhost> In-Reply-To: <rmismeuucl4.fsf@fnord.ir.bbn.com> References: <40885ECF.22456.1C68F42E@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Apr 2004 at 8:02, Greg Troxel wrote: > While this should probably work, it's more straightforward to use ESP > with integrity protection. That is, use a -A hmac-sha1 argument also > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > strength-wise with rijndael-cbc.) Thank you for your suggestions. Based on that, I've tried the following, which works for me: add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10- 10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1- 10.0.0.10/require; Cheers -- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4088F275.17020.1EA9BE84>