Hi folks, I've been working on getting my WiFi network running with IPsec. I'm at the point where all traffic on the wifi subnet is encrypted (i.e. ESP). Then I tried to add AH to the equation. I failed. This picture describes the network setup: http://beta.freebsddiary.org/images/ipsec-wireless.gif Here's what I'm trying and failing with. With these rules, I get no comms between the laptop and the gateway. If I remove the "ah/tunnel/..." clauses from the sdpadd statements, everything moves along nicely. What am I missing here? Any ideas? Thank you. rules for the laptop (encrypting + authentication) add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456"; add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456"; add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-10.0.0.1/require ah/tunnel/10.0.0.10-10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.10/require ah/tunnel/10.0.0.1-10.0.0.10/require; rules for the gateway (encrypting + authentication) add 10.0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456"; add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456"; add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.0.10-10.0.0.1/require ah/tunnel/10.0.0.10-10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.10/require ah/tunnel/10.0.0.1-10.0.0.10/require; -- Dan Langille : http://www.langille.org/ BSDCan - http://www.bsdcan.org/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"