IPsec - got ESP going, but not AH
Hi folks,
I've been working on getting my WiFi network running with IPsec. I'm
at the point where all traffic on the wifi subnet is encrypted (i.e.
ESP). Then I tried to add AH to the equation. I failed.
This picture describes the network setup:
http://beta.freebsddiary.org/images/ipsec-wireless.gif
Here's what I'm trying and failing with. With these rules, I get no
comms between the laptop and the gateway. If I remove the
"ah/tunnel/..." clauses from the sdpadd statements, everything moves
along nicely. What am I missing here?
Any ideas? Thank you.
rules for the laptop (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
rules for the gateway (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
--
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 1 之 5 篇):