Re: [Ipsec-tools-devel] IPSec connection between host (Cent OS 4.2) to host (Solaris9)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Tue, Feb 07, 2006 at 04:33:33PM -0600, Rafiqul Ahsan wrote:
>    Thanks, I was able to do ESP only. But I may have to do both ESP, and
>    AH..

Why? If you know so much about cryptography that you can override the expert
opinion expressed in RFC 4301, then I'm sure you can work out the details
for yourself.

>    According to the example for combined , I have seen setkey man pages
>    too - does this mean we have to create two separate security
>    associations , for each direction ? like spi has to be different then
>    for each direction - right ?

Yes. One SA for A to B, one for B to A. But I don't know what spd statements
you'd need; perhaps just a single esp//transport.

As I say, if you're going to do something unusual and not normally required,
then I'm afraid you're likely to be on your own in getting it to work.

In any case, if you're doing manual keying you're not using ipsec-tools, so
you'd be better off asking for help elsewhere (e.g. on a Linux networking
list, or on a KAME project mailing list, since KAME is the basis of the
Linux IPSEC stack I believe, and they'll know what all the setkey options
do)

>    Can you please refer some RFCs ? Where I can get it ?

A number of sites, including www.rfc-editor.org
although if you had just typed "RFC 4301" into Google you would have found
it instantly.

RFC 4301 to 4309 are the most recent core specs. However, I'd be the first
to admit that the IPSEC RFC's are not the most approachable documents; they
are formal specifications, and they expect a good understanding of the
fundamentals of cryptography. You'd probably be better off buying a good
book on the subject.

I don't have one I can recommend specifically on IPSEC, but for background
cryptography Bruce Schneier's "Applied Cryptography" is hard to beat.

HTH, Brian.