Date: Fri, 09 Mar 2001 21:10:31 +0900 From: itojun@iijlab.net To: "ho-sang, yoon" <tsoi@xocah.holywar.net> Cc: misc@openbsd.org, freebsd-security@freebsd.org Subject: Re: IPsec between OpenBSD and FreeBSD Message-ID: <1510.984139831@coconut.itojun.org> In-Reply-To: tsoi's message of Fri, 09 Mar 2001 20:05:47 JST. <20010309200546.A1386@xocah.holywar.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>Sorry for second question today, >I tried this for entire day, but there's no light on me. >Changed algorithm, changed key, ... but all was a vain. >Can anybody help me out? (I tried manual keying not using racoon or isakmpd) > >First, just AH, > >o. in OpenBSD > >ipsecadm new ah -spi 1000 -src a.a.a.a -dst b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm new ah -spi 3e9 -dst a.a.a.a -src b.b.b.b -auth sha1 \ >-key 1234567890123456789012345678901234567890 > >ipsecadm flow -dst b.b.b.b -proto ah -addr a.a.a.a \ >255.255.255.255 b.b.b.b 255.255.255.255 -out -require >ipsecadm flow -dst a.a.a.a -proto ah -addr b.b.b.b \ >255.255.255.255 a.a.a.a 255.255.255.255 -in -require > > >o. in FreeBSD > >add b.b.b.b a.a.a.a ah-old 1001 -A keyed-md5 "1234567890123456"; >add a.a.a.a b.b.b.b ah-old 4096 -A keyed-md5 "1234567890123456"; >spdadd b.b.b.b a.a.a.a any -P out ipsec \ >ah/transport/b.b.b.b-a.a.a.a/require; >spdadd a.a.a.a b.b.b.b any -P in ipsec \ >ah/transport/a.a.a.a-b.b.b.b/require; the key to IPsec configuration is to use EXACTLY the same configuration on both ends. if there's any difference, you have no chance to make them interoperate. there are three mistakes at least: - openbsd side is using new AH (RFC2402), while freebsd side is using old AH (RFC1826). i suggest you to use new AH for both ends. - openbsd side is using sha1 (= hmac-sha1) and freebsd side is using keyed-md5. you can pick either of them, but you really need to use the same thing for both ends. - key does not match in both ends. FreeBSD key in the above is ascii string, which would be 0x31323334... if written in binary form. openbsd side uses binary form. you need to use the same value, as binary. the easiest way is to use hexadecimal form for both ends, like: openbsd: -key 1234567890123456789012345678901234567890 freebsd: -A hmac-sha1 0x1234567890123456789012345678901234567890 i omit the analysis for esp case. carefully check if ALL the configuration items are the same, and if not, change them so that they meet up. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1510.984139831>