[Openswan dev] Pluto behaviour with auth=ah

Frank Schmirler osdev at schmirler.de
Wed May 9 10:19:28 EDT 2007


I came across some more odd things (on 2.4.7). Configs for testcase attached:

Specifying "auth=ah" works as expected. You get AH+ESP:
004 "west-east-ah-default" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0b2eb5ac <0xfdd36811 xfrm=3DES_0- AH=>0x0b2eb5ab <0xfdd36810 NATD=none

Now add "esp=3des" and you will get ESP only:
004 "west-east-ah-3des" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0b2eb5ae <0x34c920b4 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

>From the first glance it also looks that the "ah=" config parameter has no
influence anywhere. Well, I know that ah is almost unused (and Freeswan
dropped it at some point in time). But let me know if you think this should be
fixed and I'll try to contribute a patch.

One more thing I noticed: Setup "west-east-esp-tunnel" on East which will
configure "auth=esp" and "type=tunnel". On West run "west-east-ah-transport"
which will use the opposite ("auth=ah" and "type=transport"). You will get a
working transport mode AH+ESP connection. Is it on purpose that auth= and
type= are considered by the initiator only?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 497 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20070509/bedda80b/attachment.obj 

More information about the Dev mailing list