[Openswan dev] ESP Null (RFC 2410)

Kabir Ahsan-r9aahw Ahsan.Kabir at freescale.com
Tue Oct 2 10:15:23 EDT 2007 

Thanks Paul! I was also wandering whether authentication protocol is
tested for openswan. I am trying to run authentication protocol in a
net-to-net topology and have this ipsec.conf on the two tunnel
endpoints. I ran it without success. I am guessing may be my ipsec.conf
is not defined correctly. 

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

version 2.0     # conforms to second version of ipsec.conf specification

# ?TBD: get rid of the debug settings before shipping!
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
         klipsdebug=none
         plutodebug=dns
         interfaces="ipsec0=eth1"
# With this setting, KLIPS will pick up both its interface and the next
hop information from the settings of the Linux default route.

# Public interfaces - used by ipsec.
# This is already specified in the 'interfaces' clause above,
# unused for now. # include /etc/npvpn_iface.conf

# Default settings for all connections (npvpn conns, others).
#include /etc/npvpn_default.conf

# If you need to add any conns - outside of npvpn, add them here.

#include /etc/npvpn.conf

conn hometooffice
  left=200.200.200.10
  leftid="@home"   leftsubnet=192.168.3.0/24
  right=200.200.200.20
  rightid="@office"
  rightsubnet=192.168.2.0/24
  ike=3des-sha-modp1536
  auth=ah
  pfs=yes
  authby=secret
  auto=add 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, October 02, 2007 9:05 AM
To: Kabir Ahsan-r9aahw
Cc: Dev at openswan.org
Subject: Re: [Openswan dev] ESP Null (RFC 2410)

On Mon, 1 Oct 2007, Kabir Ahsan-r9aahw wrote:

> Does Openswan support ESP Null? I am interested in running ESP
protocol with only authentication and no confidentiality. I thought
running ESP Null would give me that. But it seems to me that ESP null is
not supported by the Openswan kernel. In other words, in my ipsec.conf
file I put 'esp=null-sha1" and then when I execute the ipsec.conf file I
get warning mentioning that the protocol/algorithm is not supported.
>
> Any idea as to how I can get ESP Null working? Is there any patch?
> I am working off of Michael's git repository and I cloned the 'ocf'
branch.

Openswan 2.4.7 reintroduced ESP_NULL. I am not sure if this has been
ported to the 2.5.x or ocf series yet.

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Dev mailing list