[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts
wtfiwtz at gmail.com
Fri Jul 29 08:49:37 EST 2011
> I found and read that link in my travels while trying to diagnose this
> problem last night.
> Here's the output from the diagnostics utility it mentions. I've checked
> and double-checked my SA/SP configurations, and I'm pretty sure they're
> correct (although obviously something is wrong -- somewhere).
I'd do the following:
- configure and test with ESP only
- configure and test with AH only
- combine the two
The example below only uses one line for "spdadd"... check also that you
have got the correct swapping of the IP addresses.
It is also recommended to apply AH after ESP, not sure why. In your case,
you have done AH first.
Configuration examples: host-to-host encryption+authentication
If you configure secret keys for both AH and ESP, you can use both of them.
IPsec document suggests to apply AH after ESP.
# packet will look like this: IPv4 AH ESP payload
# the node is on 10.1.1.1, peer is on 22.214.171.124
setkey -c <<EOF
add 10.1.1.1 126.96.36.199 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
add 188.8.131.52 10.1.1.1 esp 10000 -E 3des-cbc
add 10.1.1.1 184.108.40.206 ah 9877 -A hmac-md5 "hogehogehogehoge";
add 220.127.116.11 10.1.1.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
spdadd 10.1.1.1 18.104.22.168 any -P out ipsec esp/transport//use ah/transport//use;
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Progsoc