Re: question on setting up for ipsec/linux
I'm away from Greece until the end of february. Some questions I may be able to answer, but I don't have the ipsec code with me, nor do I have a setup where I can test things. Here are some tips that may help you though. * The code has been tested under 2.0.27 and 2.0.28. It will probably run on kernels down to 2.0.24. It will not even load with 2.1.x. * Only "tunnel mode" works. I'm waiting for a few more chances to occur to the 2.1.x routing code before I move the IPSEC code to 2.1.x and implement transport mode. * While not reflectedected in the (excuse for) documentation, I *have* tested all the modes for all the transforms. Of course, I may have interpreted the I-Ds in the wrong way, but I don't think so. The following transforms are supported: ah md5 esp des (with 32 and 64 bit IVs) ah hmac-md5 ah hmac-sha-1 esp des-md5 esp 3des-md5 Please not that the des-md5 and 3des-md5 have this weird concept of the Initiator and Responder. Since we're still doing manual keying anyway, it doesn't matter much wich side is which, and it doesn't even matter which if both sides are Is or Rs. The information is onlyl used to derive the encryption and authentication keys, the IV and the counter, from the (hopefully) negotiated shared secret. If all else fails, set both sides to be Initiators, and this way you won't have to think about which "setsa" lines get an r and which get an i. I'll try to write up som e more docs when I'm back in Athens, but if someone else from Europe could do it, it would be good. /ji
participants (1)
-
John Ioannidis