[Openswan Users] OpenSwan AH only
Paul Wouters
paul at xelerance.com
Tue Sep 14 22:22:36 CEST 2004
On Tue, 14 Sep 2004, Luis Rodrigues wrote:
> I only have one question: Is it possible to use only the AH auth, and no ESP
> ecrypt?
Yes, you can specify: auth=ah
If using KLIPS, you need to make sure it has been compiled with AH support.
We recently started shipping the default KLIPS configuration without AH
support.
> Tihs is very important to me, because i would like to use a router as a
> remote VPN site, and it has some problems with ESP.
Obviously the proper way to fix this is to replace that device. You can also
try and tweak its configutation a bit so that its bug doesn't get triggered.
For instance, with Watchguard, you can work around a bug in the ESP MD5
HMAC by only offering SHA1. Something similar might be possible for your
router, so you can keep encrypting your VPN (and not turn it into a Virtual
Public Network).
Paul
ps. netgraf as in BSD's netgraf? I hope that is not the device in question? :)
More information about the Users
mailing list