1997-02-11 - Re: question on setting up for ipsec/linux

Header Data

From: John Ioannidis <ji@hol.gr>
To: rodney@sabletech.com
Message Hash: 6619299b9e4ca074acfc3a8762ac4f0f2e0340684d4006b2346eb935d8ac03f2
Message ID: <199702111426.GAA19858@toad.com>
Reply To: N/A
UTC Datetime: 1997-02-11 14:26:39 UTC
Raw Date: Tue, 11 Feb 1997 06:26:39 -0800 (PST)

Raw message

From: John Ioannidis <ji@hol.gr>
Date: Tue, 11 Feb 1997 06:26:39 -0800 (PST)
To: rodney@sabletech.com
Subject: Re: question on setting up for ipsec/linux
Message-ID: <199702111426.GAA19858@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


I'm away from Greece until the end of february. Some questions I may be
able to answer, but I don't have the ipsec code with me, nor do I have
a setup where I can test things. Here are some tips that may help you though.

* The code has been tested under 2.0.27 and 2.0.28. It will probably run
on kernels down to 2.0.24. It will not even load with 2.1.x. 

* Only "tunnel mode" works. I'm waiting for a few more chances to occur
to the 2.1.x routing code before I move the IPSEC code to 2.1.x and 
implement transport mode.

* While not reflectedected in the (excuse for) documentation, I *have*
tested all the modes for all the transforms. Of course, I may have 
interpreted the I-Ds in the wrong way, but I don't think so. The following
transforms are supported:

	ah md5
	esp des (with 32 and 64 bit IVs)
	ah hmac-md5
	ah hmac-sha-1
	esp des-md5
	esp 3des-md5

Please not that the des-md5 and 3des-md5 have this weird concept of the Initiator
and Responder. Since we're still doing manual keying anyway, it doesn't
matter much wich side is which, and it doesn't even matter which if both
sides are Is or Rs. The information is onlyl used to derive the
encryption and authentication keys, the IV and the counter, from the
(hopefully) negotiated shared secret. If all else fails, set both sides to
be Initiators, and this way you won't have to think about which "setsa"
lines get an r and which get an i.

I'll try to write up som e more docs when I'm back in Athens, but if
someone else from Europe could do it, it would be good.

/ji






Thread