[Openswan Users] "auth=ah" mode broken on 2.4.12 release?

austinxxh-ipsec at yahoo.com austinxxh-ipsec at yahoo.com
Thu Sep 4 11:35:59 EDT 2008

Below is my network topology:

PC1(                       --PC2(
                  |                       |
           LEFT_GATEWAY --------------- RIGHT_GATEWAY
          eth1      eth0                eth0      eth1

With default "auth=esp", I can set up the tunnel between two subnets(,, and ping from PC1 to PC2.

If I switch "auth=esp" to "auth=ah" in ipsec.conf, all other settings stay the same, the AH+ESP tunnel is set up correctly, however, when I ping from PC1 to PC2, I can only observe "ICMP request" from PC1 all the way to RIGHT_GATEWAY when I run "tcpdump -i eth0" on LEFT_GATEWAY and RIGHT_GATEWAY, there is never an "ICMP reply" was seen on the wire.

Considering "auth=esp" works fine, and the only change I made is to change "esp" to "ah", does that mean "auth=ah" mode is not working under 2.4.12 release?


More information about the Users mailing list