[Users] setting up ipsec SA

• Next message: Andreas Steffen: "Re: [Users] Wildcards in left/rightsubnet=, roadwarior behind DHCP enabled DSLrouter."
• Previous message: Christian Barmala: "[Users] Newbe: RedHat 7.2 - freeswan 1.97_2.4.9_13 - kernel 2.4.7-10"
• In reply to: Rogelio M. Serrano Jr.: "[Users] setting up ipsec SA"
• Next in thread: Debian User: "Re: [Users] setting up ipsec SA"
• Reply: Debian User: "Re: [Users] setting up ipsec SA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rogelio M. Serrano Jr. writes:
> How do we set up ipsec SA's directly, without using pluto?

Through a combination of ipsec spi, ipsec eroute and route***.
The exact combination of these depends on whether you are doing
host<->host, subnet<->subnet or some combination thereof. For
example, a while ago someone asked how to secure traffic between two
subnets (and only the subnets, host<->host was not required), one
protected by a Solaris box and one by a FreeS/WAN box. With some
invented IP addresses, the situation is :-

                 Solaris FreeS/WAN
   LeftSubnet ===== GW --------------- GW =========== RightSubnet
  50.60.70.1/24 100.1.3.4 200.6.7.8 250.10.11.1/24

Using the following arbitrarily created values :-

  spi = 0x1001
  3des-key = 6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a
  md5-key = bde359723576fdea08e56cbe876e24ad

Then on the Linux side of things you'd type the following to create
the SAs :-

  linux$ ipsec spi --af inet --edst 100.1.3.4 --spi 0x1001 --proto esp --src 200.6.7.8 --esp 3des-md5-96 --enckey 0x6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a --authkey 0xbde359723576fdea08e56cbe876e24ad
  linux$ ipsec spi --af inet --edst 100.1.3.4 --spi 0x1001 --proto esp --ip4 --src 200.6.7.8 --dst 100.1.3.4
  linux$ ipsec spi --af inet --edst 200.6.7.8 --spi 0x1001 --proto esp --src 100.1.3.4 --esp 3des-md5-96 --enckey 0x6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a --authkey 0xbde359723576fdea08e56cbe876e24ad
  linux$ ipsec spi --af inet --edst 200.6.7.8 --spi 0x1001 --proto esp --ip4 --src 100.1.3.4 --dst 200.6.7.8

Group the security associations to create the correct tunnel mode SAs ...

  linux$ ipsec spigrp --said tun.1001_at_200.6.7.8 esp.1001_at_200.6.7.8
  linux$ ipsec spigrp --said tun.1001_at_100.1.3.4 esp.1001_at_100.1.3.4

Create an outbound eroute to ensure that all outbound subnet-to-subnet
traffic gets encrypted ...

  linux$ ipsec eroute add --eraf inet --src 250.10.11.0/24 --dst 50.60.70.0/24 --af inet --edst 100.1.3.4 --spi 0x1001 --proto tun

Route all traffic to the Solaris subnet out the ipsec device so that
it gets encrypted ...

  linux$ route add -net 50.60.70.0/24 ipsec0

Assuming that forwarding is enabled on both sides and that ipsec0 has
been correctly configured on the Linux side then (barring typos in the
above) a ping from one subnet to the other should work. See the
manual pages for ipsec_spi, ipsec_eroute and route for more
information.

---------
*** You can of course bypass these command line tools and go directly
    to the kernel interface by opening the PF_KEY socket to set up SA
    and SP entries and opening an AF_INET+SOCK_DGRAM socket to install
    routes.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] Wildcards in left/rightsubnet=, roadwarior behind DHCP enabled DSLrouter."
• Previous message: Christian Barmala: "[Users] Newbe: RedHat 7.2 - freeswan 1.97_2.4.9_13 - kernel 2.4.7-10"
• In reply to: Rogelio M. Serrano Jr.: "[Users] setting up ipsec SA"
• Next in thread: Debian User: "Re: [Users] setting up ipsec SA"
• Reply: Debian User: "Re: [Users] setting up ipsec SA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST