[Openswan dev] [Openswan Users] auth=ah broken on 2.4.12 release?

Paul Wouters paul at xelerance.com
Thu Sep 4 13:14:50 EDT 2008


On Wed, 3 Sep 2008, austinxxh-ipsec at yahoo.com wrote:

> If I switch "auth=esp" to "auth=ah" in ipsec.conf, all other settings stay the same, the AH+ESP tunnel is set up correctly, however, when I ping from PC1 to PC2, I can only observe "ICMP request" from PC1 all the way to RIGHT_GATEWAY when I run "tcpdump -i eth0" on LEFT_GATEWAY and RIGHT_GATEWAY, there is never an "ICMP reply" was seen on the wire.

Note that "AH+ESP" is ambiguous. ESP contains some AH-like constructs, but "AH+ESP" (something you can mistakenly
configure with racoon/ipsec-tools) is something you should never do.

> Considering "auth=esp" works fine, and the only change I made is to change "esp" to "ah", does that mean "auth=ah" mode is not working under 2.4.12 release?

I guess that might be the case. I think there is some open bug report on ah not working with auto= and only
with manual=.

Paul


More information about the Dev mailing list