Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec [FreeSwan/Linux] with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a 128bit hmac-md5 akey (RFC2451, RFC2403). The part I miss is: how can i split this key to be able to set up the other gateway with OpenBSD/FreeBSD? Or what must be done to use this single key for encryption and authentication on the xBSD gw? Here is a part from ipsec.conf:

conn my_connection
	left=[left_ip]
	...
	right=[right_ip]
	esp=3des-md5-96
	keyexchange=ike
	keylife=4h
	auto=start

left_ip right_ip : 0xaabccdd_eeffgghh_...

You don't need to 'split the key'... the key (shared secret) is symmetric, not asymmetric. You simply use the same (shared secret) key on both ends of the IPSEC VPN tunnel.

Each end will use the (shared secret) key to generate a session key.

My real problem is that the Linux gateway is using a "pre-shared ke", while the xBSD gateway is asking different keys with different encryption styles: encryption key and auth key. That i did not figure out: why BSD needs different keys and FreeSWAN/ipsec does not, or how can a BSD gateway talk to a FreeSWAN/Linux gateway with PSK?

Perhaps you would be better off using a simple shared secret between the two implementations. This shared secret would be used to establish a session key.

Did you try this to see if it would work? Did you establish a tunnel with only shared secrets (this is called a pre-shared key in the article below)?

http://www.onlamp.com/lpt/a/3043

Also, see the following article on setting up a BSD-LINUX IPSEC tunnel:

http://home.t-online.de/home/hburde/ipsec/node1.html