[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

Nigel Sheridan-Smith wtfiwtz at gmail.com
Fri Jul 29 08:49:37 EST 2011

> http://lartc.org/howto/lartc.ipsec.html#LARTC.IPSEC.INTRO
> I found and read that link in my travels while trying to diagnose this
> problem last night.
> Here's the output from the diagnostics utility it mentions. I've checked
> and double-checked my SA/SP configurations, and I'm pretty sure they're
> correct (although obviously something is wrong -- somewhere).

I'd do the following:
- configure and test with ESP only
- configure and test with AH only
- combine the two

The example below only uses one line for "spdadd"... check also that you
have got the correct swapping of the IP addresses.

It is also recommended to apply AH after ESP, not sure why. In your case,
you have done AH first.

Configuration examples: host-to-host encryption+authentication

If you configure secret keys for both AH and ESP, you can use both of them.
IPsec document suggests to apply AH after ESP.

#! /bin/sh
# packet will look like this: IPv4 AH ESP payload
# the node is on, peer is on
setkey -c <<EOF
add esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
add esp 10000 -E 3des-cbc
add ah 9877 -A hmac-md5 "hogehogehogehoge";
add ah 10001 -A hmac-md5 "mogamogamogamoga";
spdadd any -P out ipsec esp/transport//use ah/transport//use;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://progsoc.org/pipermail/progsoc/attachments/20110729/1d745b57/attachment.html>

More information about the Progsoc mailing list