[Openswan Users] Reg AH n ESP configuration using whack

Paul Wouters paul at xelerance.com
Sun Mar 4 22:52:02 EST 2007

On Mon, 5 Mar 2007, shyam wrote:

> I have configured a test ipsec tunnel between two systems
> the tunnel is established. But im not able to c any AH header im able to
> view only ESP header.
> How can i modify the below setup so that i can have only AH
> or both AH and ESP

see man ipsec_whack:

              All proposed or accepted IPsec SAs will include non-null ESP.
              The actual choices of  transforms are wired into pluto.

              All  proposed IPsec SAs will include AH. All accepted IPsec SAs
              will include AH or ESP with authentication. The actual choices
              of transforms are wired into pluto. Note that this has nothing
              to do with IKE authentication.

> just by removing --encrypt and adding --authenticate options isnt
> showing any effect

That should work, though I personally never whack manually. Try configuring
an ipsec.conf with esp= and with ah=, and and change the "auto" shell script
to include -e so it displays the exact whack commands?

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list