Re: IPsec - got ESP going, but not AH
On 23 Apr 2004 at 8:02, Greg Troxel wrote:
> While this should probably work, it's more straightforward to use ESP
> with integrity protection. That is, use a -A hmac-sha1 argument also
> to ESP. (hmac-md5 is probably still fine, but sha1 goes better
> strength-wise with rijndael-cbc.)
Thank you for your suggestions. Based on that, I've tried the
following, which works for me:
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A
hmac-sha1 "12345678901234567890";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-
10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-
10.0.0.10/require;
Cheers
--
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 5 篇):