[Openswan Users] Reg AH n ESP configuration using whack

shyam shyam at rocsys.com
Tue Mar 6 02:33:55 EST 2007 

Thank you Paul,

yes i have put my configuration in ipsec.conf and checked it out
using ipsec auto --showonly --add <conname> 
but the whack command that is framed does not contain any "ah" options that i specified
because "ah" option is only processed if it is manual keying.
but i require auto keying so "ah" option is ignored while parsing ipsec.conf


when testing other scenarios i found tht specifiying only "--authenticate" 
and "--encrypt" with out --esp option it does include AH and ESP headers :-)
the problem here is tht i cannot specify the ALGOS tht i want.

conn ho2bo1
       leftid=@ho
       left=10.1.6.1
       leftsubnet=172.16.15.0/24
       leftnexthop=10.1.6.2
       leftrsasigkey=0sAQNCC3IN8...
       rightid=@bo1
       right=10.1.5.1
       rightsubnet=192.168.10.0/24
       rightnexthop=10.1.5.2
       rightrsasigkey=0sAQNb88Bj3...
       auth =ah	
       esp=3des-md5-96
       ike=aes256-sha1
       auto=start
       keyingtries=%forever
       ah=hmac-md5-96

The Whack Command Framed is:
ipsec whack --name ho2bo1 --encrypt --tunnel --ike aes256-sha1 --esp 3des-md5-96 --authenticate --pfs --dpdaction hold --rsasig 
--host 10.1.6.1 --client 172.16.15.0/24 --nexthop 10.1.6.2 --updown 'ipsec _updown' --id @ho --sendcert always 
--to 
--host 10.1.5.1 --client 192.168.10.0/24 --nexthop 10.1.5.2 --updown 'ipsec _updown' --id @bo1 --sendcert always 
--ipseclifetime 28800 --rekeymargin 540 --keyingtries 0
002 added connection description "ho2bo1"

Best Regards,
Shyam.

On Mon, 5 Mar 2007, shyam wrote:

> I have configured a test ipsec tunnel between two systems
> the tunnel is established. But im not able to c any AH header im able to
> view only ESP header.
>
> How can i modify the below setup so that i can have only AH
> or both AH and ESP

see man ipsec_whack:

       --encrypt
              All proposed or accepted IPsec SAs will include non-null ESP.
              The actual choices of  transforms are wired into pluto.

       --authenticate
              All  proposed IPsec SAs will include AH. All accepted IPsec SAs
              will include AH or ESP with authentication. The actual choices
              of transforms are wired into pluto. Note that this has nothing
              to do with IKE authentication.

> just by removing --encrypt and adding --authenticate options isnt
> showing any effect

That should work, though I personally never whack manually. Try configuring
an ipsec.conf with esp= and with ah=, and and change the "auto" shell script
to include -e so it displays the exact whack commands?

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list