From owner-freebsd-security@FreeBSD.ORG  Fri Apr 23 07:39:49 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DC0C516A4CE
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 07:39:49 -0700 (PDT)
Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AEC7243D1F
	for <freebsd-security@FreeBSD.org>;
	Fri, 23 Apr 2004 07:39:49 -0700 (PDT)
	(envelope-from dan@langille.org)
Received: from wocker (wocker.unixathome.org [192.168.0.99])
	by bast.unixathome.org (Postfix) with ESMTP
	id ECA7A3D32; Fri, 23 Apr 2004 10:39:48 -0400 (EDT)
From: "Dan Langille" <dan@langille.org>
To: Greg Troxel <gdt@ir.bbn.com>
Date: Fri, 23 Apr 2004 10:39:49 -0400
MIME-Version: 1.0
Message-ID: <4088F275.17020.1EA9BE84@localhost>
Priority: normal
References: <40885ECF.22456.1C68F42E@localhost>
In-reply-to: <rmismeuucl4.fsf@fnord.ir.bbn.com>
X-mailer: Pegasus Mail for Windows (v4.02a)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
cc: freebsd-security@FreeBSD.org
Subject: Re: IPsec - got ESP going, but not AH
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2004 14:39:50 -0000

On 23 Apr 2004 at 8:02, Greg Troxel wrote:

> While this should probably work, it's more straightforward to use ESP
> with integrity protection.  That is, use a -A hmac-sha1 argument also
> to ESP.  (hmac-md5 is probably still fine, but sha1 goes better
> strength-wise with rijndael-cbc.)

Thank you for your suggestions.  Based on that, I've tried the 
following, which works for me:

add 10.0.0.1  10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456" -A 
hmac-sha1 "12345678901234567890";
add 10.0.0.10 10.0.0.1  esp 693 -E rijndael-cbc "1234567890123456" -A 
hmac-sha1 "12345678901234567890";

spdadd 10.0.0.0/24 0.0.0.0/0  any -P out ipsec esp/tunnel/10.0.0.10-
10.0.0.1/require;
spdadd  0.0.0.0/0 10.0.0.0/24 any -P in  ipsec esp/tunnel/10.0.0.1-
10.0.0.10/require;

Cheers
-- 
Dan Langille : http://www.langille.org/
BSDCan - http://www.bsdcan.org/