From: Brian C. <B.C...@po...> - 2006-02-08 09:32:51
|
On Tue, Feb 07, 2006 at 04:33:33PM -0600, Rafiqul Ahsan wrote: > Thanks, I was able to do ESP only. But I may have to do both ESP, and > AH.. Why? If you know so much about cryptography that you can override the expert opinion expressed in RFC 4301, then I'm sure you can work out the details for yourself. > According to the example for combined , I have seen setkey man pages > too - does this mean we have to create two separate security > associations , for each direction ? like spi has to be different then > for each direction - right ? Yes. One SA for A to B, one for B to A. But I don't know what spd statements you'd need; perhaps just a single esp//transport. As I say, if you're going to do something unusual and not normally required, then I'm afraid you're likely to be on your own in getting it to work. In any case, if you're doing manual keying you're not using ipsec-tools, so you'd be better off asking for help elsewhere (e.g. on a Linux networking list, or on a KAME project mailing list, since KAME is the basis of the Linux IPSEC stack I believe, and they'll know what all the setkey options do) > Can you please refer some RFCs ? Where I can get it ? A number of sites, including www.rfc-editor.org although if you had just typed "RFC 4301" into Google you would have found it instantly. RFC 4301 to 4309 are the most recent core specs. However, I'd be the first to admit that the IPSEC RFC's are not the most approachable documents; they are formal specifications, and they expect a good understanding of the fundamentals of cryptography. You'd probably be better off buying a good book on the subject. I don't have one I can recommend specifically on IPSEC, but for background cryptography Bruce Schneier's "Applied Cryptography" is hard to beat. HTH, Brian. |