Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1998-summer > 98 > 090308.html (Request Expert lists.freeswan.org Support)

Re: linux-ipsec: Latest IPsec and connecting two IP networks.... :-(

From: David Sainty <DavidSainty(at)cit.com.au>
Date: Tue Sep 01 1998 - 07:42:48 EDT

Henry, All,

I am pleased to report that the problem no longer exists. :-) Not being able to contact computers on the other side was mostly caused by the fact that on the other (192.168.2.x) network, most computers had no default gateway set. Had I known this, I would not have wasted anyone's time!

I now have an environment where every computer on one network can see every computer on the other network but this is only with IP4 and ESP. The problem I'm having now is with authentication. I am using ipsec lines on each system like:

/sbin/insmod ipip
/sbin/insmod ipsec
/usr/local/lib/ipsec/tncfg --attach --virtual ipsec0 --physical eth0
ifconfig ipsec0 inet e.f.g.h broadcast a.b.c.d netmask 255.255.255.0 ulimit -c 0
touch /var/lock/subsys/ipsec
route add -net 192.168.2.0 netmask 255.255.255.0 dev ipsec0 gw e.f.g.h
/usr/local/lib/ipsec/spi --clear
/usr/local/lib/ipsec/eroute --clear
/usr/local/lib/ipsec/eroute --add --src 192.168.1.0/24 --dst
192.168.2.0/24 --edst e.f.g.h --spi 0x223
/usr/local/lib/ipsec/spi --ip4 --edst e.f.g.h --spi 0x223 --src a.b.c.d
--dst e.f.g.h
/usr/local/lib/ipsec/spi --esp 3des-md5-96 --edst e.f.g.h --spi 0x225
--iv 0x1000000000000001 --enckey
0x663066306630663066306630663066306630663066301111 --authkey 0x66306630663066306630663066302222
/usr/local/lib/ipsec/spi --ah hmac-md5 --edst e.f.g.h --spi 0x226
--authkey 0x66306630663066306630663066302222

Following comes spigrp, etc, but at this point I get an error:

/usr/local/lib/ipsec/spi: Had trouble writing to /dev/ipsec -- Invalid
argument, check kernel log messages for specifics.

I check the log and I've got:

Do you need help?X

Sep 1 21:27:40 sydney kernel: ipsec_callback: skb=5b0a20 skblen=48 em_magic=1400332654 em_type=2 em_spi=0x226 Sep 1 21:27:40 sydney kernel: ipsec_callback: could not find a TDB for spi=0x226, daddr=e.f.g.h, allocating (this is normal) Sep 1 21:27:40 sydney kernel: tdb_init: calling init routine of HMAC MD5 Authentication
Sep 1 21:27:40 sydney kernel: ahhmacmd5_init: called for dst=e.f.g.h, spi=0x226
Sep 1 21:27:40 sydney kernel: ahhmacmd5_init: incorrect key size: 56 -- must be 16 octets (bytes)

What am I doing wrong? Also, if I attempt to use hmac-md5:

# spi --ah hmac-sha1 --edst e.f.g.h --spi 0x226 --authkey 0x66306630663066306630

I get:

spi: Failed -- requires an authentication key length of 0 bytes (1 byte = 2 hexadecimal digits).

Obviously the "2" is missing from the error. The log says something like:

Sep 1 18:19:45 sydney kernel: ipsec_callback: skb=a0f544 skblen=52 em_magic=1400332654 em_type=2 em_spi=0x226 Sep 1 18:19:45 sydney kernel: ipsec_callback: could not find a TDB for spi=0x226, daddr=e.f.g.h, allocating (this is normal) Sep 1 18:19:45 sydney kernel: tdb_init: calling init routine of HMAC SHA-1 Authentication
Sep 1 18:19:45 sydney kernel: ahhmacsha1_init: incorrect key size: 56 -- must be 20 octets (bytes)

Any input would as always be appreciated, and thanks again for a great product!!

Do you need more help?X

David Sainty.. Received on Tue Sep 1 10:38:56 1998

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:26 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library