Re: question on setting up for ipsec/linux

[John Ioannidis <ji@hol.gr>]

I'm away from Greece until the end of february. Some questions I may be
able to answer, but I don't have the ipsec code with me, nor do I have
a setup where I can test things. Here are some tips that may help you though.

* The code has been tested under 2.0.27 and 2.0.28. It will probably run
on kernels down to 2.0.24. It will not even load with 2.1.x. 

* Only "tunnel mode" works. I'm waiting for a few more chances to occur
to the 2.1.x routing code before I move the IPSEC code to 2.1.x and 
implement transport mode.

* While not reflectedected in the (excuse for) documentation, I *have*
tested all the modes for all the transforms. Of course, I may have 
interpreted the I-Ds in the wrong way, but I don't think so. The following
transforms are supported:

	ah md5
	esp des (with 32 and 64 bit IVs)
	ah hmac-md5
	ah hmac-sha-1
	esp des-md5
	esp 3des-md5

Please not that the des-md5 and 3des-md5 have this weird concept of the Initiator
and Responder. Since we're still doing manual keying anyway, it doesn't
matter much wich side is which, and it doesn't even matter which if both
sides are Is or Rs. The information is onlyl used to derive the
encryption and authentication keys, the IV and the counter, from the
(hopefully) negotiated shared secret. If all else fails, set both sides to
be Initiators, and this way you won't have to think about which "setsa"
lines get an r and which get an i.

I'll try to write up som e more docs when I'm back in Athens, but if
someone else from Europe could do it, it would be good.

/ji