Christian Weisgerber <[EMAIL PROTECTED]> wrote: > If anybody uses isakmpd(8) to set up AH, I'd really like to see the > relevant parts of their isakmpd.conf.
To follow up on my own question: It turns out that when you define the protocol suite for AH, you need to specify the hash algorithm both as TRANSFORM_ID and (in a slightly different syntax) as AUTHENTICATION_ALGORITHM. In particular, the predefined quick mode AH suites in isakmpd are completely wrong. This is being fixed. Here's an example for transport mode AH with SHA2-256: [QM-AH-TRP-SHA2-256-SUITE]:Protocols=QM-AH-TRP-SHA2-256 [QM-AH-TRP-SHA2-256]:PROTOCOL_ID=IPSEC_AH [QM-AH-TRP-SHA2-256]:Transforms=QM-AH-TRP-SHA2-256-XF [QM-AH-TRP-SHA2-256-XF]:TRANSFORM_ID=SHA2_256 [QM-AH-TRP-SHA2-256-XF]:ENCAPSULATION_MODE=TRANSPORT [QM-AH-TRP-SHA2-256-XF]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 [QM-AH-TRP-SHA2-256-XF]:Life=LIFE_QUICK_MODE Ongoing work on isakmpd and ipsecctl should soon render this sort of arcane knowledge irrevelant for just about everybody. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
