Quote:
Ok, I gave it a try...

18:45:10.545802 IP ding.rowi.net > dong.rowi.net: ESP(spi=0x00003d54,seq=0x46), length 88
...
Pings to each other reaches the other host (snipplet above) but ping obviously won't be decrypted.


tcpdump et al. will show the encrypted packets, but the actual echo reply that the ping command gets back will be decrypted before delivery to the ping command. Try an NFS mount, while you're at it -- everything in the middle is encrypted, but you can still browse files etc.. as if it were all just regular TCP/IP.

Quote:

Am I right to switch the IP addresses IP1 and IP2 in the scripts for the other host or do I have to start the scripts exactly as it is on one host at the other (without any changes)?



No, just run the original script as-is on both ends. It does do a little extra work, but is designed to be used without having to edit/flip the IP addresses around.

Quote:

What if I need one Server and 100 clients? Is this a strict P2P configuration due to the 2 IP-addresses?\


Then parameterize the script, so that you can invoke it once from each client with the appropriate client IP + server IP address pairs, and so you can run it 100 times on the server, once for each client IP.

And so long as you are not traversing NAT anywhere on the path, you should probably use BOTH ah and esp for maximum security. ah guarantees tamper-proof IP headers, whereas esp is just encrypting the payloads.

cheers


Edited by mlord (30/11/2005 16:18)