On Fri, Sep 22, 2006 at 06:08:03PM +0200, Martin Hedenfalk wrote:
> Hi misc,
>
> We've been trying to get integrity only ESP (ie, null encryption) to
> work using ipsecctl on an OpenBSD 4.0 snapshot. The man page mentions
> null encryption only in conjunction with setting up manual SAs. In the
> section about automated keying using IKE there is however no mention
> of null encryption type. Is there a motivation for the difference in
> approach? Or are we just being awkward? ;-)
>
> We are running in an environment where automated authentication and
> keying is crucial because we can't know where (as in IP address) the
> peers come from. Due to high traffic load and limited CPU performance
> of the peers (embedded low-power hardware), we are prepared to
> sacrifice confidentiality, but need to retain authentication and
> integrity protection.
>
> Is it correct that this is not supported by ipsecctl? If so, can we
> configure isakmpd the old-fashioned way (isakmpd.conf) instead?
No, this is supported. At least on my pre-4.0 -current box:
AUTOMATIC KEYING
...
main auth algorithm enc algorithm group group
These parameters define the cryptographic transforms to be used for
main mode. Possible values for auth, enc, and group are described
below in CRYPTO TRANSFORMS.
If omitted, ipsecctl(8) will use the default values hmac-sha1, aes,
and modp1024.
quick auth algorithm enc algorithm group group
These parameters define the cryptographic transforms to be used for
quick mode. Possible values for auth, enc, and group are described
below in CRYPTO TRANSFORMS. If group is specified, Perfect Forward
Security (PFS) is used. If the value none is used, PFS is dis-
abled.
If omitted, ipsecctl(8) will use the default values hmac-sha2-256
and aes; PFS will only be used if the remote side requests it.
You can still use isakmpd.conf, if you really want to, but ipsec.conf is
much nicer.
Joachim
