Coda File System

Coda over IPSEC

From: Greg Troxel <gdt_at_fnord.ir.bbn.com>
Date: 21 Feb 2000 08:38:40 -0500
I've successfully run Coda over IPSEC with manual keying.
This is with recent Coda, and FreeBSD 3.3 + KAME snap 19991227.

The configuration below is for the client (10.0.0.1).
The server's config is similar, but with out/in reversed for spd
entries.

This doesn't handle the tcp sideeffects rpc2 port, but I haven't seen
any of those.

The problem of xor tokens can be mitigated by this due to 
 * not exposing the tokens on the net
 * only accepting coda packets from authorized (by ipsec) peers, so
   knowing the token doesn't help as much for an attacker not on an
   authorized machine

#!/bin/sh

setkey -v -c << EOF

# clog from/to 10.0.0.1
spdadd 10.0.0.1/32[any] 192.168.2.2/32[370] udp
	-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[370] 10.0.0.1/32[any] udp
	-P in ipsec esp/transport//require ;
# venus control from/to 10.0.0.1
spdadd 10.0.0.1/32[2430] 192.168.2.2/32[2432] udp
	-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[2432] 10.0.0.1/32[2430] udp
	-P in ipsec esp/transport//require ;
# venus sideeffects from/to 10.0.0.1
spdadd 10.0.0.1/32[2431] 192.168.2.2/32[2433] udp
	-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[2433] 10.0.0.1/32[2431] udp
	-P in ipsec esp/transport//require ;
EOF

setkey -v -c << EOF

add 10.0.0.1 192.168.2.2 esp 0x34101
	-m transport -r 0
	-E 3des-cbc [foo]
	-A hmac-sha1 [bar]
	;

add 192.168.2.2 10.0.0.1 esp 0x34102
	-m transport -r 0
	-E 3des-cbc [foo]
#	-A hmac-sha1 [bar]
	;

EOF
 
Here's a key-gen script I found handy:

#!/bin/sh
dd if=/dev/random bs=1 count=$1 2>/dev/null | \
  hexdump -e "6/4 \"%04x\" \"\\n\""


        Greg Troxel <gdt_at_ir.bbn.com>
Received on 2000-02-21 08:41:52