IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] setting up ipsec SA

From: Debian User (rogelio_at_evoserve.com)
Date: Fri May 31 2002 - 09:48:46 CEST

Stephen J Bevan wrote:

>Rogelio M. Serrano Jr. writes:
> > How do we set up ipsec SA's directly, without using pluto?
>
>Through a combination of ipsec spi, ipsec eroute and route***.
>The exact combination of these depends on whether you are doing
>host<->host, subnet<->subnet or some combination thereof. For
>example, a while ago someone asked how to secure traffic between two
>subnets (and only the subnets, host<->host was not required), one
>protected by a Solaris box and one by a FreeS/WAN box. With some
>invented IP addresses, the situation is :-
>
>
> Solaris FreeS/WAN
> LeftSubnet ===== GW --------------- GW =========== RightSubnet
> 50.60.70.1/24 100.1.3.4 200.6.7.8 250.10.11.1/24
>
>
>Using the following arbitrarily created values :-
>
> spi = 0x1001
> 3des-key = 6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a
> md5-key = bde359723576fdea08e56cbe876e24ad
>
>Then on the Linux side of things you'd type the following to create
>the SAs :-
>
> linux$ ipsec spi --af inet --edst 100.1.3.4 --spi 0x1001 --proto esp --src 200.6.7.8 --esp 3des-md5-96 --enckey 0x6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a --authkey 0xbde359723576fdea08e56cbe876e24ad
> linux$ ipsec spi --af inet --edst 100.1.3.4 --spi 0x1001 --proto esp --ip4 --src 200.6.7.8 --dst 100.1.3.4
> linux$ ipsec spi --af inet --edst 200.6.7.8 --spi 0x1001 --proto esp --src 100.1.3.4 --esp 3des-md5-96 --enckey 0x6d2c5688ebe2d7fc7b364da932eee4cbf092a3d63415e59a --authkey 0xbde359723576fdea08e56cbe876e24ad
> linux$ ipsec spi --af inet --edst 200.6.7.8 --spi 0x1001 --proto esp --ip4 --src 100.1.3.4 --dst 200.6.7.8
>
>Group the security associations to create the correct tunnel mode SAs ...
>
> linux$ ipsec spigrp --said tun.1001_at_200.6.7.8 esp.1001_at_200.6.7.8
> linux$ ipsec spigrp --said tun.1001_at_100.1.3.4 esp.1001_at_100.1.3.4
>
>Create an outbound eroute to ensure that all outbound subnet-to-subnet
>traffic gets encrypted ...
>
> linux$ ipsec eroute add --eraf inet --src 250.10.11.0/24 --dst 50.60.70.0/24 --af inet --edst 100.1.3.4 --spi 0x1001 --proto tun
>
>Route all traffic to the Solaris subnet out the ipsec device so that
>it gets encrypted ...
>
> linux$ route add -net 50.60.70.0/24 ipsec0
>
>Assuming that forwarding is enabled on both sides and that ipsec0 has
>been correctly configured on the Linux side then (barring typos in the
>above) a ping from one subnet to the other should work. See the
>manual pages for ipsec_spi, ipsec_eroute and route for more
>information.
>
>---------
>*** You can of course bypass these command line tools and go directly
> to the kernel interface by opening the PF_KEY socket to set up SA
> and SP entries and opening an AF_INET+SOCK_DGRAM socket to install
> routes.
>_______________________________________________
>Users mailing list
>Users_at_lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>
>
I see. What about a host to host only configuration? Im trying to do
this peer to peer networking style. A no dns setup.
Im directly connected to a number of hosts and they relay my messages to
the rest of the p2p network.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:08 CEST