(Illustration by Gaich Muramatsu)
I've successfully run Coda over IPSEC with manual keying. This is with recent Coda, and FreeBSD 3.3 + KAME snap 19991227. The configuration below is for the client (10.0.0.1). The server's config is similar, but with out/in reversed for spd entries. This doesn't handle the tcp sideeffects rpc2 port, but I haven't seen any of those. The problem of xor tokens can be mitigated by this due to * not exposing the tokens on the net * only accepting coda packets from authorized (by ipsec) peers, so knowing the token doesn't help as much for an attacker not on an authorized machine #!/bin/sh setkey -v -c << EOF # clog from/to 10.0.0.1 spdadd 10.0.0.1/32[any] 192.168.2.2/32[370] udp -P out ipsec esp/transport//require ; spdadd 192.168.2.2/32[370] 10.0.0.1/32[any] udp -P in ipsec esp/transport//require ; # venus control from/to 10.0.0.1 spdadd 10.0.0.1/32[2430] 192.168.2.2/32[2432] udp -P out ipsec esp/transport//require ; spdadd 192.168.2.2/32[2432] 10.0.0.1/32[2430] udp -P in ipsec esp/transport//require ; # venus sideeffects from/to 10.0.0.1 spdadd 10.0.0.1/32[2431] 192.168.2.2/32[2433] udp -P out ipsec esp/transport//require ; spdadd 192.168.2.2/32[2433] 10.0.0.1/32[2431] udp -P in ipsec esp/transport//require ; EOF setkey -v -c << EOF add 10.0.0.1 192.168.2.2 esp 0x34101 -m transport -r 0 -E 3des-cbc [foo] -A hmac-sha1 [bar] ; add 192.168.2.2 10.0.0.1 esp 0x34102 -m transport -r 0 -E 3des-cbc [foo] # -A hmac-sha1 [bar] ; EOF Here's a key-gen script I found handy: #!/bin/sh dd if=/dev/random bs=1 count=$1 2>/dev/null | \ hexdump -e "6/4 \"%04x\" \"\\n\"" Greg Troxel <gdt_at_ir.bbn.com>Received on 2000-02-21 08:41:52