ifup-ipsec: Manual v. Automatic keying

Bojan Smojver bojan at rexursive.com
Fri Oct 6 04:45:47 UTC 2006


Disclaimer: I know bugger-all about IPSec.

I looked through this script in devel and it appears that it does
something like this (among other things) when using setkey -c:

------------------------------
spdadd $SPD_SRC $SPD_DST any -P out ipsec
            ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
            ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
            ;

spdadd $SPD_DST $SPD_SRC any -P in ipsec
            ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
            ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
            ;
------------------------------

The HOWTOs (located here:
http://lartc.org/howto/lartc.ipsec.automatic.keying.html and here:
http://www.ipsec-howto.org/x299.html) mention only the ESP bit in
relation to automatic keying, but not the AH bit. From the HOWTOs:

------------------------------
#!/sbin/setkey -f
flush;
spdflush;

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
	esp/transport//require;

spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
	esp/transport//require;
------------------------------

------------------------------
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
           esp/tunnel/192.168.1.100-192.168.2.100/require;

spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
           esp/tunnel/192.168.2.100-192.168.1.100/require;
------------------------------

FC5, that I'm using for my IPSec to PIX connection, is similar to devel
(i.e. it has the AH bits in spdadd). Anyone on the list knows why the
discrepancy?

The HOWTO method lets me establish a tunnel to PIX. The one from the
script does not...

-- 
Bojan




More information about the fedora-devel-list mailing list