Hi folks,
I've been working on getting my WiFi network running with IPsec. I'm
at the point where all traffic on the wifi subnet is encrypted (i.e.
ESP). Then I tried to add AH to the equation. I failed.
This picture describes the network setup:
http://beta.freebsddiary.org/images/ipsec-wireless.gif
Here's what I'm trying and failing with. With these rules, I get no
comms between the laptop and the gateway. If I remove the
"ah/tunnel/..." clauses from the sdpadd statements, everything moves
along nicely. What am I missing here?
Any ideas? Thank you.
rules for the laptop (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
rules for the gateway (encrypting + authentication)
add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456";
add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456";
add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456";
spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.10-10.0.0.1/require
ah/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.10/require
ah/tunnel/10.0.0.1-10.0.0.10/require;
--
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/
While this should probably work, it's more straightforward to use ESP
with integrity protection. That is, use a -A hmac-sha1 argument also
to ESP. (hmac-md5 is probably still fine, but sha1 goes better
strength-wise with rijndael-cbc.)
I believe that in tunnel mode AH and ESP integrity are essentially
identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you
really want to understand. In transport mode, AH protects parts of
the original (and only) IP header.
--
Greg Troxel <gdt@ir.bbn.com>
On 23 Apr 2004 at 8:02, Greg Troxel wrote:> While this should probably work, it's more straightforward to use ESP > with integrity protection. That is, use a -A hmac-sha1 argument also > to ESP. (hmac-md5 is probably still fine, but sha1 goes better > strength-wise with rijndael-cbc.)Thank you for your suggestions. Based on that, I've tried the following, which works for me: add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10- 10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1- 10.0.0.10/require; Cheers -- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/