[Openswan Users] "auth=ah" mode broken on 2.4.12 release?

austinxxh-ipsec at yahoo.com austinxxh-ipsec at yahoo.com
Thu Sep 4 11:35:59 EDT 2008


Below is my network topology:

PC1(192.168.1.21)--                       --PC2(192.168.2.21)
                  |                       |
           LEFT_GATEWAY --------------- RIGHT_GATEWAY
          eth1      eth0                eth0      eth1
   192.168.1.160 200.200.200.10  200.200.200.20   192.168.2.160

With default "auth=esp", I can set up the tunnel between two subnets(192.168.1.0/24, 192.168.2.0/24), and ping from PC1 to PC2.

If I switch "auth=esp" to "auth=ah" in ipsec.conf, all other settings stay the same, the AH+ESP tunnel is set up correctly, however, when I ping from PC1 to PC2, I can only observe "ICMP request" from PC1 all the way to RIGHT_GATEWAY when I run "tcpdump -i eth0" on LEFT_GATEWAY and RIGHT_GATEWAY, there is never an "ICMP reply" was seen on the wire.

Considering "auth=esp" works fine, and the only change I made is to change "esp" to "ah", does that mean "auth=ah" mode is not working under 2.4.12 release?

Thanks!
Xiao


More information about the Users mailing list