[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec manual keying

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: IPsec manual keying
From: "J. Davis" <jake_(_at_)_groupserve_(_dot_)_com>
Date: Wed, 17 Jan 2001 10:49:43 -0500

According to the IPsec FAQ, 

------snip-------

You need to generate your manual keys. Since the security of the VPN is
based on these keys being unguessable, it is very important that
the keys be chosen using a strong random source. One practical method of
generating them is by using the random(4) device. To produce 160
bits of randomness, for example, do: 

    # dd if=/dev/urandom bs=1024 count=1 | sha1 

The number of bits produced is important. Different cipher types may
require different sized keys. 

Cipher    Key Length
DES       56 bits
3DES      168 bits
BLF       Variable (40-160, 160 bits recommended)
CAST      Variable (40-128, 128 bits recommended)
SKIPJACK  80 bits 

    # ipsecadm new esp -spi SPI_OUT -src MY_EXTERNAL_IP -dst
PEER_EXTERNAL_IP -forcetunnel -enc blf
    -auth sha1 -key ENC_KEY -authkey AUTH_KEY

------snip-------

So, how does one create a key that is not sha1 for the AUTH_KEY?
Replacing "sha1" in the above command with, for instance, "blf" as in
the example or des3, just gives me command not found errors. I know I
must be missing something very simple but I did RTFM and still don't
have a clue as to the magic incantation.

Thanks,
-Jake

Prev by Date: OpenSSH VPN
Next by Date: Legato Networker backup client
Previous by thread: OpenSSH VPN
Next by thread: Legato Networker backup client
Index(es):
- Date
- Thread

Visit your host, monkey.org