[Openswan Users] Reg AH n ESP configuration using whack
Paul Wouters
paul at xelerance.com
Mon Mar 5 10:55:31 EST 2007
On Tue, 6 Mar 2007, shyam wrote:
> yes i have put my configuration in ipsec.conf and checked it out
> using ipsec auto --showonly --add <conname>
> but the whack command that is framed does not contain any "ah" options that i specified
> because "ah" option is only processed if it is manual keying.
AFAIK AH vs ESP has nothing to do with manual vs auto.
> but i require auto keying so "ah" option is ignored while parsing ipsec.conf
But I believe ah= has similar options. Again, I'm not sure because I never
use AH or manual keying.
> when testing other scenarios i found tht specifiying only "--authenticate"
> and "--encrypt" with out --esp option it does include AH and ESP headers :-)
> the problem here is tht i cannot specify the ALGOS tht i want.
With manual keying you cannot negotiate ciphers. You have to pick 1. With automatic
keying, you can pick multiple and let IKE come to a mutual decision. Remember that
with manual keying, you don't talk to the other end to discuss any property of
the connection. It is ALL hardcoded. That's why you should not use manual keying at
all. I am also not sure why you want to use AH, but at times people believe it is
better for QoS purposes.
> conn ho2bo1
> leftid=@ho
> left=10.1.6.1
> leftsubnet=172.16.15.0/24
> leftnexthop=10.1.6.2
> leftrsasigkey=0sAQNCC3IN8...
> rightid=@bo1
> right=10.1.5.1
> rightsubnet=192.168.10.0/24
> rightnexthop=10.1.5.2
> rightrsasigkey=0sAQNb88Bj3...
> auth =ah
> esp=3des-md5-96
You prob mean ah=3des-md5-96
> ike=aes256-sha1
> auto=start
So this is an automatic keying, not manual keying because you are using the auto
command. I think you need manual=start
> keyingtries=%forever
> ah=hmac-md5-96
Paul
More information about the Users
mailing list