List Info

Thread: Reg AH n ESP configuration using whack
Reg AH n ESP configuration using whack
country flaguser name
United States		 2007-03-06 01:33:55 
Thank you Paul,

yes i have put my configuration in ipsec.conf and checked it
out
using ipsec auto --showonly --add <conname> 
but the whack command that is framed does not contain any
"ah" options that i specified
because "ah" option is only processed if it is
manual keying.
but i require auto keying so "ah" option is
ignored while parsing ipsec.conf


when testing other scenarios i found tht specifiying only
"--authenticate" 
and "--encrypt" with out --esp option it does
include AH and ESP headers 
the problem here is tht i cannot specify the ALGOS tht i
want.

conn ho2bo1
       leftid=ho
       left=10.1.6.1
       leftsubnet=172.16.15.0/24
       leftnexthop=10.1.6.2
       leftrsasigkey=0sAQNCC3IN8...
       rightid=bo1
       right=10.1.5.1
       rightsubnet=192.168.10.0/24
       rightnexthop=10.1.5.2
       rightrsasigkey=0sAQNb88Bj3...
       auth =ah	
       esp=3des-md5-96
       ike=aes256-sha1
       auto=start
       keyingtries=%forever
       ah=hmac-md5-96

The Whack Command Framed is:
ipsec whack --name ho2bo1 --encrypt --tunnel --ike
aes256-sha1 --esp 3des-md5-96 --authenticate --pfs
--dpdaction hold --rsasig 
--host 10.1.6.1 --client 172.16.15.0/24 --nexthop 10.1.6.2
--updown 'ipsec _updown' --id ho --sendcert always 
--to 
--host 10.1.5.1 --client 192.168.10.0/24 --nexthop 10.1.5.2
--updown 'ipsec _updown' --id bo1 --sendcert always 
--ipseclifetime 28800 --rekeymargin 540 --keyingtries 0
002 added connection description "ho2bo1"

Best Regards,
Shyam.

On Mon, 5 Mar 2007, shyam wrote:

> I have configured a test ipsec tunnel between two
systems
> the tunnel is established. But im not able to c any AH
header im able to
> view only ESP header.
>
> How can i modify the below setup so that i can have
only AH
> or both AH and ESP

see man ipsec_whack:

       --encrypt
              All proposed or accepted IPsec SAs will
include non-null ESP.
              The actual choices of  transforms are wired
into pluto.

       --authenticate
              All  proposed IPsec SAs will include AH. All
accepted IPsec SAs
              will include AH or ESP with authentication.
The actual choices
              of transforms are wired into pluto. Note that
this has nothing
              to do with IKE authentication.

> just by removing --encrypt and adding --authenticate
options isnt
> showing any effect

That should work, though I personally never whack manually.
Try configuring
an ipsec.conf with esp= and with ah=, and and change the
"auto" shell script
to include -e so it displays the exact whack commands?

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
Re: Reg AH n ESP configuration using whack
country flaguser name
Netherlands		 2007-03-05 09:55:31 
On Tue, 6 Mar 2007, shyam wrote:

> yes i have put my configuration in ipsec.conf and
checked it out
> using ipsec auto --showonly --add <conname>
> but the whack command that is framed does not contain
any "ah" options that i specified
> because "ah" option is only processed if it
is manual keying.

AFAIK AH vs ESP has nothing to do with manual vs auto.

> but i require auto keying so "ah" option is
ignored while parsing ipsec.conf

But I believe ah= has similar options. Again, I'm not sure
because I never
use AH or manual keying.

> when testing other scenarios i found tht specifiying
only "--authenticate"
> and "--encrypt" with out --esp option it does
include AH and ESP headers 
> the problem here is tht i cannot specify the ALGOS tht
i want.

With manual keying you cannot negotiate ciphers. You have to
pick 1. With automatic
keying, you can pick multiple and let IKE come to a mutual
decision. Remember that
with manual keying, you don't talk to the other end to
discuss any property of
the connection. It is ALL hardcoded. That's why you should
not use manual keying at
all. I am also not sure why you want to use AH, but at times
people believe it is
better for QoS purposes.

> conn ho2bo1
>        leftid=ho
>        left=10.1.6.1
>        leftsubnet=172.16.15.0/24
>        leftnexthop=10.1.6.2
>        leftrsasigkey=0sAQNCC3IN8...
>        rightid=bo1
>        right=10.1.5.1
>        rightsubnet=192.168.10.0/24
>        rightnexthop=10.1.5.2
>        rightrsasigkey=0sAQNb88Bj3...
>        auth =ah
>        esp=3des-md5-96

You prob mean ah=3des-md5-96

>        ike=aes256-sha1
>        auto=start

So this is an automatic keying, not manual keying because
you are using the auto
command. I think you need manual=start

>        keyingtries=%forever
>        ah=hmac-md5-96

Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )