netbsd-help: FW: Configuring IPSec tunnel between NetBSD and Intel Shiva

Subject: FW: Configuring IPSec tunnel between NetBSD and Intel Shiva
To: None <netbsd-help@NetBSD.ORG>
From: Derrick Lobo <derrick@givex.com>
List: netbsd-help
Date: 02/17/2003 15:51:29
-----Original Message-----
From: Derrick Lobo [mailto:derrick@givex.com]
Sent: Friday, February 14, 2003 10:30 AM
To: 'Daniel Eggert'
Subject: RE: Configuring IPSec tunnel between NetBSD and Intel Shiva


Thanks Daniel

Here are the settings on Shiva for
IKE
Algorithm 3des-168bitkey
Authentication sha1, md5
Keylifetime 8 hours
DH Group 2 RSA 1024 bits
Aggressive Mone Off,On

IPSec
ESP Algorithm 3des-168bit key,AS
ESP Authentication sha1,md5,none
Authentication Header none, md5,sha1
Key Lifetime 8 hours
Secondary Authentication None,Key
Perfect Forward Secrecy Off,On
Tunnel ESP Mode On, Off


My Config on Shiva
secure-profile IPEC-NAME
	encapsulation v2-esp
	authentication key
	secondary-authentication none
	ike-group 2
	ike-algorithm 3des
	ike-authentication hmac-sha1
	ike-crypto-period 480
	ike-kbyte-limit 0
	aggressive-mode off
	perfect-forward-secrecy off
	ipsec-commitbit disable
	negotiate-higher-security off
	preserve-tos off
	esp-authentication none
	ah none
	algorithm 3des
	tunnel-esp-mode on
	crypto-period 480
	kbyte-limit 0
	timeout 0
	keep-alive 0
	client-timeout 0
	client-keep-alive 0
	udp-encapsulation 0
	split-tunnel disable

encryptor xxx.xxx.xxx.xxx x
	negotiation master yes
	tunnel-type ipsec
	mode black
	failover-for 0.0.0.0 0
	cleartext-backup 0.0.0.0
	profile IPEC-NAME
	auth-key ********
	sa ipsec-name-p1
		destination aaa.aaa.aaa.aaa 255.255.0.0 all
		source bbb.bbb.bbb.bbb 255.255.255.255 all
		protocol all
		profile IPEC-NAME
		metric 0

The only difference I can think of is Keylife time because im not using it
in the setkey command.

Thanks

Derrick

-----Original Message-----
From: Daniel Eggert [mailto:danieleggert@mac.com]
Sent: Friday, February 14, 2003 9:16 AM
To: derrick@givex.com
Cc: netbsd-help@netbsd.org
Subject: Re: Configuring IPSec tunnel between NetBSD and Intel Shiva


What exactly does the Shiva documentation say about IPsec
configuration? What encryption schemes do you have to use with Shiva?
It is important, that your NetBSD configuration of IPsec matches the
one for the Shiva.

/Daniel

On fredag, feb 14, 2003, at 15:15 Europe/Copenhagen, Derrick Lobo wrote:

>
> Hi All
>
> I am using the setkey command to enable tunnel on netbsd with 3des and
> sha1.
> While browsing www I read a document which said Intel Shiva has to be
> configured to IPsec and not the propritery software. I have included my
> ipsec.conf
>
> ipsec.conf
> add yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx esp 9780 -E 3des-cbc
> "abcd1234abcd1234abcd1234" -A hmac-sha1 "abcd1234abcd1234abcd";
> add xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy esp 10001 -E 3des-cbc
> "abcd1234abcd1234abcd1234" -A hmac-sha1 "abcd1234abcd1234abcd";
>
> spdadd aaa.aaa.aaa.aaa/32 bbb.bbb.bbb.bbb/24 any -P out ipsec
> esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
> spdadd bbb.bbb.bbb.bbb/24 aaa.aaa.aaa.aaa/32 any -P in ipsec
> esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
>
> I am not using racoon....
>
> Thanks
>
> Derrick
>
>