IPsec - got ESP going, but not AH
Dan Langille
dan at langille.org
Thu Apr 22 21:09:52 PDT 2004
Hi folks,
I've been working on getting my WiFi network running with IPsec. I'm
at the point where all traffic on the wifi subnet is encrypted (i.e.
ESP). Then I tried to add AH to the equation. I failed.
This picture describes the network setup:
http://beta.freebsddiary.org/images/ipsec-wireless.gif
Here's what I'm trying and failing with. With these rules, I get no
comms between the laptop and the gateway. If I remove the
"ah/tunnel/..." clauses from the sdpadd statements, everything moves
along nicely. What am I missing here?
Any ideas? Thank you.
rules for the laptop (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
rules for the gateway (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
--
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/
More information about the freebsd-security
mailing list