Re: [LARTC] IPSEC FIRST LIGHT! (by non-kernel developer :-))

Mike Diehl (mdiehl@dominion.dyndns.org)
Thu, 7 Nov 2002 20:59:32 -0500


So the IPSec in the 2.5 kernel actually works!!! I had heard it was mostly
nonfunctional.

This is good news. FreeSwan has some quirky political policys.

On Thursday 07 November 2002 08:02 am, bert hubert wrote:
> On Thu, Nov 07, 2002 at 02:52:50AM -0800, David S. Miller wrote:
> > Really, if this one doesn't apply, your 2.5 bitkeeper tree is not
> > totally uptodate.
>
> It works in transport mode! Both EH/ASP.
>
> Hints:
> Use the latest bitkeeper sources as of Thurday morning MET
>
> Apply the last patch Alexey sent in the 'silly advise' thread
> on linux kernel mailinglist
>
> Do not compile anything AH/ESP/CRYPTO as modules
> failed for me with bad oops
>
> Make very very sure that you are not filtering ipsec packets
> iptables needs to allow protocols 50 and 51
>
> Use the KAME tools port on ftp://ftp.inr.ac.ru/ip-routing/ipsec/
> racoon won't compile, you don't need it yet
> point it at your 2.5.46+bk+davem tree (edit GNUMakefiles)
>
> Use 3des-cbc
> examples online use blowfish-cbc but that gives an error
> in setkey
>
> Configuration (needs the setkey tool) on 10.0.0.11:
>
> #!./setkey -f
> flush;
> spdflush;
>
> # AH
> add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
> add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
>
> # ESP
> add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc
> "123456789012123456789012"; add 10.0.0.216 10.0.0.11 esp 24501 -E
> 3des-cbc "123456789012123456789012";
>
> spdadd 10.0.0.216 10.0.0.11 icmp -P out ipsec
> esp/transport//use
> ah/transport//use;
>
> Configuration on 10.0.0.216:
>
> #!./setkey -f
> flush;
> spdflush;
>
> # AH
> add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
> add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
>
> # ESP
> add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc
> "123456789012123456789012"; add 10.0.0.216 10.0.0.11 esp 24501 -E
> 3des-cbc "123456789012123456789012";
>
> # this is reversed
> spdadd 10.0.0.11 10.0.0.216 icmp -P out ipsec
> esp/transport//use
> ah/transport//use;
>
> # ping 10.0.0.11
> PING 10.0.0.11 (10.0.0.11) from 10.0.0.216 : 56(84) bytes of data.
> 64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=1.11 ms
>
> $ sudo tcpdump -n -i eth0 -p
> tcpdump: listening on eth0
> 13:55:42.381669 10.0.0.216 > 10.0.0.11: AH(spi=0x00005fb4,seq=0x39):
> ESP(spi=0x00005fb5,seq=0x39) (DF)
> 13:55:42.382518 10.0.0.11 > 10.0.0.216: AH(spi=0x00003d54,seq=0x39):
> ESP(spi=0x00003d55,seq=0x39)
>
> Great work everybody! I'm very impressed.
>
> Regards,
>
> bert

-- 
Mike Diehl
PGP Encrypted E-mail preferred.
Public Key via: http://dominion.dyndns.org/~mdiehl/mdiehl.asc

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/