I've successfully run Coda over IPSEC with manual keying.
This is with recent Coda, and FreeBSD 3.3 + KAME snap 19991227.
The configuration below is for the client (10.0.0.1).
The server's config is similar, but with out/in reversed for spd
entries.
This doesn't handle the tcp sideeffects rpc2 port, but I haven't seen
any of those.
The problem of xor tokens can be mitigated by this due to
* not exposing the tokens on the net
* only accepting coda packets from authorized (by ipsec) peers, so
knowing the token doesn't help as much for an attacker not on an
authorized machine
#!/bin/sh
setkey -v -c << EOF
# clog from/to 10.0.0.1
spdadd 10.0.0.1/32[any] 192.168.2.2/32[370] udp
-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[370] 10.0.0.1/32[any] udp
-P in ipsec esp/transport//require ;
# venus control from/to 10.0.0.1
spdadd 10.0.0.1/32[2430] 192.168.2.2/32[2432] udp
-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[2432] 10.0.0.1/32[2430] udp
-P in ipsec esp/transport//require ;
# venus sideeffects from/to 10.0.0.1
spdadd 10.0.0.1/32[2431] 192.168.2.2/32[2433] udp
-P out ipsec esp/transport//require ;
spdadd 192.168.2.2/32[2433] 10.0.0.1/32[2431] udp
-P in ipsec esp/transport//require ;
EOF
setkey -v -c << EOF
add 10.0.0.1 192.168.2.2 esp 0x34101
-m transport -r 0
-E 3des-cbc [foo]
-A hmac-sha1 [bar]
;
add 192.168.2.2 10.0.0.1 esp 0x34102
-m transport -r 0
-E 3des-cbc [foo]
# -A hmac-sha1 [bar]
;
EOF
Here's a key-gen script I found handy:
#!/bin/sh
dd if=/dev/random bs=1 count=$1 2>/dev/null | \
hexdump -e "6/4 \"%04x\" \"\\n\""
Greg Troxel <[EMAIL PROTECTED]>
