> Does it require more than setkey? Or does it need pseudo devices, GRE or
> anything? Just setting up tunnel mode doesn't appear to work - nothing gets
> crypted or signed.
>
> Alexey, any ideas?
This is the setup I am using ON host 10.0.0.216 itself:
# AH
add 1.2.3.4 10.0.0.216 ah 25700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 1.2.3.4 ah 34500 -A hmac-md5 "1234567890123456";
# ESP
add 1.2.3.4 10.0.0.216 esp 25701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 1.2.3.4 esp 34501 -E 3des-cbc "123456789012123456789012";
spdadd 10.0.0.0/24 1.2.3.0/24 any -P out ipsec
esp/tunnel/1.2.3.4-10.0.0.216/require;
If I now ping 1.2.3.4, I see the packet go out on the wire unencrypted.
If I ping from 10.0.0.11 with a route to 1.2.3.0/24 to the ipsec host
10.0.0.216, I get an ICMP redirect.
Oh, by the way, my lowly pentiumpro200 manages to crypt *6 megabits/second*
with 3des-cbc! The box does get a bit slowish over the network then though.
Regards,
bert
-- http://www.PowerDNS.com Versatile DNS Software & Services http://lartc.org Linux Advanced Routing & Traffic Control HOWTO - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/