From: tito <ab...@di...> - 2003-09-29 12:38:02
|
While trying to use AH instead of ESP I get the following problem: =20 flush; spdflush; add 10.1.0.2 10.3.0.2 ah 0x200 -A hmac-md5 0x59cdc9f7b1772653c04e5d0ebfa78244; add 10.3.0.2 10.1.0.2 ah 0x300 -A hmac-md5 0xaa253094f049421960d7f61fa92ce151; spdadd 10.3.0.2 10.1.0.2 any -P out ipsec ah/transport/10.1.0.2-10.3.0.2/require; =20 spdadd 10.1.0.2 10.3.0.2 any -P in ipsec ah/transport/10.3.0.2-10.1.0.2/require; =20 works(I can see the AH header with a sniffer) but if I use: =20 flush; spdflush; add 10.1.0.2 10.3.0.2 ah 0x200 -A hmac-md5 0x59cdc9f7b1772653c04e5d0ebfa78244; add 10.3.0.2 10.1.0.2 ah 0x300 -A hmac-md5 0xaa253094f049421960d7f61fa92ce151; spdadd 10.3.0.2 10.1.0.2 any -P out ipsec ah/transport//require; =20 spdadd 10.1.0.2 10.3.0.2 any -P in ipsec ah/transport//require; =20 it doesn=92t works, packets goes without AH header. If I see the SPD with setkey =96DP I can see in the first case: =20 [root@host2 etc]# setkey -DP 10.1.0.2[any] 10.3.0.2[any] any Policy:[Invalid address specification] created: Sep 29 13:40:40 2003 lastused: lifetime: 0(s) validtime: 0(s) spid=3D320 seq=3D1 pid=3D798 refcnt=3D1 10.3.0.2[any] 10.1.0.2[any] any Policy:[Invalid address specification] created: Sep 29 13:40:40 2003 lastused: lifetime: 0(s) validtime: 0(s) spid=3D313 seq=3D0 pid=3D798 refcnt=3D1 =20 while in the second case I get: =20 [root@host2 etc]# setkey -DP 10.1.0.2[any] 10.3.0.2[any] any in none created: Sep 29 13:38:24 2003 lastused: lifetime: 0(s) validtime: 0(s) spid=3D304 seq=3D1 pid=3D795 refcnt=3D1 10.3.0.2[any] 10.1.0.2[any] any out none created: Sep 29 13:38:24 2003 lastused: lifetime: 0(s) validtime: 0(s) spid=3D297 seq=3D0 pid=3D795 refcnt=3D1 =20 Am I doing something wrong?? My kernel is 2.6-test5, using Red Hat and latest ipsec-tools versi=F3n = at sourceforge. Best regards, TITO. |