Hi,
I am developing an IPSec stack for ixp1200 platform. I have successfully completed IKE Phase I and Phase II and got the keying materials for ESP traffic.
I sent a ping request from an IPSec client (Safenet SoftRemote client) and I am seeing that the authentication data is only 12bytes(96 bits). I am negotiating SHA1 authentication algorithm. I verified the data authenticity depending on IP header length and it's correct.
When I get the Ping Request packet, I extract the payload and do SHA1 authentication and 3DES decryption. My aythentication is failing but encryption is successful. So I sent the packet to IP stack and I got the ping reply in plain text. Now I encrypt that packet and authenticate it. Add IP header and sent to client. But on client side it's not getting the reply.
Can anyone tell me what's going wrong here? Is there any method to trace the ESP processing on client side? Or any other Windows client give ESP packet processing details?
Any help will be greatly appreciated.
Thanks & Best Regards,
BPaul
From: [EMAIL PROTECTED] (Theodor Isporidi) Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] () Subject: Re: Signing certificates on Windows Date: Wed, 8 Jan 2003 06:19:12 +0100Hi ! > Why not use the 'openssl' directly, in a step-by-step manner? Easier said than done if the openssl docs are almost nonexistant and the mod_ssl docs state explicitly Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. without even giving a hint about how to do it manually. > If not, there should be something at the Linux Documentation Project > Lets, see..."google is your friend": I know, but my search didn't turn up anything useful. I probably used the wrong keywords. > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > ficates-HOWTO.pdf Thanks a lot, that document was just what I needed! I have my certificates now. But Apache is still giving me some headaches. Perhaps you could give me a hand here too? I'm starting Apache with -D SSL to have ssl.conf included and uncommented the line LoadModule ssl_module modules/mod_ssl.so in httpd.conf to load mod_ssl. So far so good. I want to have several virtual hosts for local testing of several webpages. Some should only be served via http others only via https. My config looks like this: NameVirtualHost 127.0.0.1:80 <VirtualHost 127.0.0.1:80 localhost:80> ServerAdmin [EMAIL PROTECTED] DocumentRoot /page1 ServerName localhost </VirtualHost> <VirtualHost localhost2:80> ServerAdmin [EMAIL PROTECTED] DocumentRoot /page2 ServerName localhost2 </VirtualHost> <VirtualHost localhost3:80> ServerAdmin [EMAIL PROTECTED] DocumentRoot /page3 ServerName localhost3 </VirtualHost> and there is another Virtualhost in ssl.conf NameVirtualHost 127.0.0.1:443 <VirtualHost 127.0.0.1:443 localhost4:443> ServerAdmin [EMAIL PROTECTED] DocumentRoot /page4 ServerName localhost4 SSLEngine on SSLProtocol all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # The rest are default settings except for paths to certificates </VirtualHost> Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 (done with the hosts file). What I think this should do is serve localhost, localhost2 and localhost3 only via http and localhost4 only via https. But that doesn't work. I can access all 4 via http and https on Netscape 4.79. With IE 6.0 SP1 I can access all 4 via http but none at all via https. What is wrong there? Bye ! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
The new MSN 8 is here: Try it free* for 2 months http://join.msn.com/?page=dept/dialup
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
