RE: Test AES-CCM mode via IPSec (NETKEY)

Joy Latten <latten@xxxxxxxxxxxxxx> · Mon, 7 Apr 2008 16:13:48 -0500

>Hi,
>
>Try these scripts with proper IP address. In addition, you must patch
>iproute2 manually using the patch from Herbert's email:
>
>[lho@svdclab161 sec]$ cat ip-start-transport-ccm
>#!/bin/sh
>
>NODE=$1
>
>echo "Starting IPSec transport mode using CCM..."
>
>./ip xfrm policy flush
>./ip xfrm state flush
>#
># SA
>./ip xfrm state add src 10.66.21.164 dst 10.66.21.166 proto esp spi
>0x201 mode transport aead "rfc4309(ccm(aes))"
>0x0102037aeaca3f87d060a12f4a4487d5a5c335 96
>./ip xfrm state add src 10.66.21.166 dst 10.66.21.164 proto esp spi
>0x301 mode transport aead "rfc4309(ccm(aes))"
>0x010203f6ddb555acfd9d77b03ea3843f265325 96
>#
># Policy
>if [ "${NODE}" = "A" ]; then
>        ./ip xfrm policy add dir out src 10.66.21.164 dst 10.66.21.166
>tmpl proto esp mode transport
>        ./ip xfrm policy add dir in src 10.66.21.166 dst 10.66.21.164
>tmpl proto esp mode transport
>fi
>if [ "${NODE}" = "B" ]; then
>        ./ip xfrm policy add dir in src 10.66.21.164 dst 10.66.21.166
>tmpl proto esp mode transport
>        ./ip xfrm policy add dir out src 10.66.21.166 dst 10.66.21.164
>tmpl proto esp mode transport
>fi
> 
>[lho@svdclab161 sec]$ cat ip-start-transport-gcm
>#!/bin/sh
>
>NODE=$1
>
>echo "Starting IPSec transport mode using GCM..."
>
>./ip xfrm policy flush
>./ip xfrm state flush
>#
># SA
>./ip xfrm state add src 10.66.21.164 dst 10.66.21.166 proto esp spi
>0x201 mode transport aead "rfc4106(gcm(aes))"
>0x010203047aeaca3f87d060a12f4a4487d5a5c335 96
>./ip xfrm state add src 10.66.21.166 dst 10.66.21.164 proto esp spi
>0x301 mode transport aead "rfc4106(gcm(aes))"
>0x01020304f6ddb555acfd9d77b03ea3843f265325 96
>#
># Policy
>if [ "${NODE}" = "A" ]; then
>        ./ip xfrm policy add dir out src 10.66.21.164 dst 10.66.21.166
>tmpl proto esp mode transport
>        ./ip xfrm policy add dir in src 10.66.21.166 dst 10.66.21.164
>tmpl proto esp mode transport
>fi
>if [ "${NODE}" = "B" ]; then
>        ./ip xfrm policy add dir in src 10.66.21.164 dst 10.66.21.166
>tmpl proto esp mode transport
>        ./ip xfrm policy add dir out src 10.66.21.166 dst 10.66.21.164
>tmpl proto esp mode transport
>fi
>

Thank you!! Your instructions were perfect and I had it working
in no time.

regards,
Joy
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html