IPsec woes

Published
by
Pedro Timóteo
2 years, 11 months ago
in Security, Systems administration and Unix / Linux / *BSD
.

OpenSwan, ipsec.conf man page:

CONN PARAMETERS: MANUAL KEYING
The following parameters are relevant only to manual keying, and are ignored in automatic keying.

and, still in that section:

esp ESP encryption/authentication algorithm to be used for the connection, e.g. 3des-md5-96 (must be suitable as a value of ipsec_spi(8)'s --esp option); default is not to use ESP

Note that that option (”esp”) doesn’t appear in the AUTOMATIC KEYING options list. From the above, one would guess that it’s only for manual keying, and that for automatic keying that option is ignored - that, indeed, it’s not necessary.

Right? Unfortunately, that’s not true, from what I’ve seen.

Until I added:

esp=3des-sha1-96

to a particular automatic keyed connection, it simply wouldn’t work, because the default is to use md5 instead of sha1, and the other side used sha1.

Oh well… things like this end up making us sysadmins not trust documentation. Unless it’s OpenBSD, of course. :)

Related posts:

  1. Unix tip of the day
  2. The BSDs
  3. Performancing 1.1 for Firefox is out
  4. Cable Modem change
  5. An Anti-Spam gateway #1: Initial stuff

0 Responses to “IPsec woes”

Feed for this Entry Trackback Address
  1. No Comments
  1. 1 33366c9beaae
    Trackback on May 14th, 2008 at 20:58

Leave a Reply

Creative Commons Attribution-NonCommercial-NoDerivs 2.5 Portugal
Creative Commons Attribution-NonCommercial-NoDerivs 2.5 Portugal