From owner-freebsd-security Fri Mar 9 3: 5:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22]) by hub.freebsd.org (Postfix) with SMTP id 07B8037B71F for ; Fri, 9 Mar 2001 03:05:53 -0800 (PST) (envelope-from tsoi@xocah.holywar.net) Received: (qmail 3609 invoked by uid 101); 9 Mar 2001 11:05:47 -0000 Date: Fri, 9 Mar 2001 20:05:47 +0900 From: "ho-sang, yoon" To: misc@openbsd.org Cc: freebsd-security@freebsd.org Subject: IPsec between OpenBSD and FreeBSD Message-ID: <20010309200546.A1386@xocah.holywar.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry for second question today, I tried this for entire day, but there's no light on me. Changed algorithm, changed key, ... but all was a vain. Can anybody help me out? (I tried manual keying not using racoon or isakmpd) First, just AH, o. in OpenBSD ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ -key 1234567890123456789012345678901234567890 ipsecadm new ah -spi 3e9 -dst a.a.a.a -src b.b.b.b -auth sha1 \ -key 1234567890123456789012345678901234567890 ipsecadm flow -dst b.b.b.b -proto ah -addr a.a.a.a \ 255.255.255.255 b.b.b.b 255.255.255.255 -out -require ipsecadm flow -dst a.a.a.a -proto ah -addr b.b.b.b \ 255.255.255.255 a.a.a.a 255.255.255.255 -in -require o. in FreeBSD add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; add a.a.a.a b.b.b.b ah-old 4096 -A keyed-md5 "1234567890123456"; spdadd b.b.b.b a.a.a.a any -P out ipsec \ ah/transport/b.b.b.b-a.a.a.a/require; spdadd a.a.a.a b.b.b.b any -P in ipsec \ ah/transport/a.a.a.a-b.b.b.b/require; result, checked tcpdump, and found that packets received in real on both host, but 'checksum mismatch' errors, so pinging is not established. Second, just ESP, o. in OpenBSD ipsecadm new esp -enc blf -spi 1000 -dst b.b.b.b -src a.a.a.a \ -key 12349876432167890192837465098273 ipsecadm new esp -enc blf -spi 3e9 -dst a.a.a.a -src b.b.b.b \ -key 12349876432167890192837465098273 ipsecadm flow -dst b.b.b.b -proto esp -addr a.a.a.a \ 255.255.255.255 b.b.b.b 255.255.255.255 -out -require ipsecadm flow -dst a.a.a.a -proto esp -addr b.b.b.b \ 255.255.255.255 a.a.a.a 255.255.255.255 -in -require o. in FreeBSD add b.b.b.b a.a.a.a esp 1001 -E blowfish-cbc \ "12349876432167890192837465098273"; add a.a.a.a b.b.b.b esp 4096 -E blowfish-cbc \ "12349876432167890192837465098273"; spdadd b.b.b.b a.a.a.a any -P out ipsec \ esp/transport/b.b.b.b-a.a.a.a/require; spdadd a.a.a.a b.b.b.b any -P in ipsec \ esp/transport/a.a.a.a-b.b.b.b/require; result, same as above 'ah only' case, but different error, 'bad pad length' error in tcpdump checking. Any help will be greatly appreciated, * Please CC to me, I'm not on this list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message