[Openswan Users] OpenSwan AH only

Paul Wouters paul at xelerance.com
Tue Sep 14 22:22:36 CEST 2004

On Tue, 14 Sep 2004, Luis Rodrigues wrote:

> I only have one question: Is it possible to use only the AH auth, and no ESP
> ecrypt?

Yes, you can specify: auth=ah

If using KLIPS, you need to make sure it has been compiled with AH support. 
We recently started shipping the default KLIPS configuration without AH

> Tihs is very important to me, because i would like to use a router as a
> remote VPN site, and it has some problems with ESP.

Obviously the proper way to fix this is to replace that device. You can also
try and tweak its configutation a bit so that its bug doesn't get triggered.
For instance, with Watchguard, you can work around a bug in the ESP MD5
HMAC by only offering SHA1. Something similar might be possible for your
router, so you can keep encrypting your VPN (and not turn it into a Virtual
Public Network).

ps. netgraf as in BSD's netgraf? I hope that is not the device in question? :)

More information about the Users mailing list