Re: IPsec manual keying: Question on Interoperability

To: "Matthias Scheler" <tron%zhadum.org.uk@localhost>, current-users%netbsd.org@localhost
Subject: Re: IPsec manual keying: Question on Interoperability
From: rsg <ranil.santhish%gmail.com@localhost>
Date: Tue, 15 Apr 2008 16:02:24 +0200

Hi,

To begin with, I've setup a Tunnel  simply with Authentication(hmac-md5).

                                        ======= AH =======
                                        |                                       
    |
              Network-A      Gateway-A(Cisco)            Gateway-B
(Kernel/setkey)     Network-B
          212.21.2.0/30 ---- 192.168.1.254 ---------- 192.168.1.86
------------------- 10.3.0.0/24


Configuration:
------------------

1) Connectivity - OK(Routing)

2)
SETKEY
======
#!/sbin/setkey -f
flush;
spdflush;

add  192.168.1.86 192.168.1.254 ah 1000 -m tunnel -A hmac-md5
"1234567890123456";
add  192.168.1.254 192.168.1.86 ah 1001 -m tunnel -A hmac-md5
"1234567890123456";


#Tunnel specifications
spdadd 10.3.0.0/24 212.21.2.0/30 any -P out ipsec
ah/tunnel/192.168.1.86-192.168.1.254/require;
spdadd 212.21.2.0/30 10.3.0.0/24 any -P in ipsec
ah/tunnel/192.168.1.254-192.168.1.86/require;


Cisco
=====
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.252.0
 crypto map test
!
interface Serial1/1
 ip address 212.21.2.1 255.255.255.252
!
!
crypto ipsec transform-set test ah-md5-hmac
!
crypto map test 6 ipsec-manual
 set peer 192.168.1.86
 set session-key inbound ah 1000 1234567890123456
 set session-key outbound ah 1001 1234567890123456
 set transform-set test
 match address 110
!
!
access-list 110 permit ip 212.21.2.0 0.0.0.3 10.3.0.0 0.0.0.255


I have tried to ping from Network A to B and vice versa. But I see no
"echo-reply" meaning that only originated SA is there but nothing in
return.

Please see whether the manual config above is OK.

When I tried SETKEY with on 2.6.X it  works without any trouble(needless to say)

Please share your valuable thoughts on this.

Thanks & regards,
rg.





On Fri, Apr 11, 2008 at 1:43 PM, Matthias Scheler 
<tron%zhadum.org.uk@localhost> wrote:
> On Fri, Apr 11, 2008 at 11:17:30AM +0200, rsg wrote:
>  >  With setkey implementation, is it possible to establish tunnels with
>  >  devices from other vendors(Cisco).
>
>  Maybe. Cisco IPsec/IKE implementations are "special".
>
>
>  >  Please correct me if I'm wrong and provide me with compatible algorithms.
>  >  Thanks for your suggestions.
>
>  Cisco routers should support 3DES and AES and so does NetBSD.
>
>         Kind regards
>
>  --
>  Matthias Scheler                                  http://zhadum.org.uk/
>

Follow-Ups:
- Re: IPsec manual keying: Question on Interoperability
  - From: Matthias Scheler

References:
- IPsec manual keying: Question on Interoperability
  - From: rsg
- Re: IPsec manual keying: Question on Interoperability
  - From: Matthias Scheler

Prev by Date: Re: Hot plugging of SATA disks doesn't seem to work under NetBSD-4.x?
Next by Date: Re: IPsec manual keying: Question on Interoperability
Previous by Thread: Re: IPsec manual keying: Question on Interoperability
Next by Thread: Re: IPsec manual keying: Question on Interoperability
Indexes:

Home | Main Index | Thread Index | Old Index