Re: IPsec - got ESP going, but not AH
From: Dan Langille (dan_at_langille.org)
Date: 04/23/04
- Previous message: Mipam: "use keep state(strict) to mitigate tcp issues?"
- In reply to: Greg Troxel: "Re: IPsec - got ESP going, but not AH"
- Next in thread: Crist J. Clark: "Re: IPsec - got ESP going, but not AH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Greg Troxel <gdt@ir.bbn.com> Date: Fri, 23 Apr 2004 10:39:49 -0400
On 23 Apr 2004 at 8:02, Greg Troxel wrote:
> While this should probably work, it's more straightforward to use ESP
> with integrity protection. That is, use a -A hmac-sha1 argument also
> to ESP. (hmac-md5 is probably still fine, but sha1 goes better
> strength-wise with rijndael-cbc.)
Thank you for your suggestions. Based on that, I've tried the
following, which works for me:
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-
10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-
10.0.0.10/require;
Cheers
-- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Mipam: "use keep state(strict) to mitigate tcp issues?"
- In reply to: Greg Troxel: "Re: IPsec - got ESP going, but not AH"
- Next in thread: Crist J. Clark: "Re: IPsec - got ESP going, but not AH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
