[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)

To: Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
Subject: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
From: Niels Provos <provos@citi.umich.edu>
Date: Tue, 02 Mar 1999 12:03:30 -0500
Cc: tech@openbsd.org

In message <19990302134623.A18309@folly.informatik.uni-erlangen.de>, Markus Fri
edl writes:
>AH/ESP connections between machines (i386 w/ current) running PF_KEY
>and PF_ENCAP kernels.
>
>So far, I can only get AH work. ESP fails to decode the messages.
>The decoded packet contains garbage (bad port numbers, TCP flags,
>etc, test-scripts are attached).
You forgot to specify the IV for the transforms. PF_ENCAP was
able to do IV-less mode by deriving an IV from the packet headers.
We dont do that any more with PFKEYv2.
So just modify your scripts to include a -iv line:

[...]
># SA setup (bela->folly)
>ipsecadm new ah \
>	-spi $SPI1 \
>	-src $BELA \
>	-dst $FOLLY \
>	-auth md5 \
        -iv 0011223344556677 \
>	-key 6f416f352c00fae64e9a02772d74433e
>
># andere richtung (folly->bela)
>ipsecadm new ah \
>	-spi $SPI2 \
>	-src $FOLLY \
>	-dst $BELA \
>	-auth md5 \
        -iv 0011223344556677 \
>	-key c8f5980566ccab1b502b87d8f43a4b14
>

Greetings,
 Niels.

Ps: someone give beer to the greek, serious guiness deprivation since leaving
theo and canada, it seems.

Follow-Ups:
- Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
- Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
  - From: Craig Metz <cmetz@inner.net>
- Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
  - From: Kjell Wooding <kwooding@codetalker.com>

Prev by Date: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Next by Date: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Prev by thread: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Next by thread: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Index(es):
- Date
- Thread