[Openswan Users] auth=ah broken on 2.4.12 release?

austinxxh-ipsec at yahoo.com austinxxh-ipsec at yahoo.com
Thu Sep 4 13:52:03 EDT 2008


When I use "auth=ah", "ipsec spi" will show both ESP and AH, while I am expecting an AH-only. The tunnel is up but not bi-directional. A message here : http://osdir.com/ml/network.openswan.devel/2007-05/msg00001.html says it's expected, I don't really know why.

If I replaced "auth=ah" with "auth=esp(default)", then adding "esp=3des-sha1", I only saw ESP, then adding one more line as "ah=hmac-md5-96", then I saw AH as well. In general I feel "auth=esp" works well. However I do not really know what "auth=ah" does in openswan and if it indeed works.

I will try manual to see if "auth=ah" works at all.

Thanks!
Xiao


--- On Thu, 9/4/08, Paul Wouters <paul at xelerance.com> wrote:

> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] auth=ah broken on 2.4.12 release?
> To: austinxxh-ipsec at yahoo.com
> Cc: dev at openswan.org
> Date: Thursday, September 4, 2008, 12:14 PM
> On Wed, 3 Sep 2008, austinxxh-ipsec at yahoo.com wrote:
> 
> > If I switch "auth=esp" to
> "auth=ah" in ipsec.conf, all other settings stay
> the same, the AH+ESP tunnel is set up correctly, however,
> when I ping from PC1 to PC2, I can only observe "ICMP
> request" from PC1 all the way to RIGHT_GATEWAY when I
> run "tcpdump -i eth0" on LEFT_GATEWAY and
> RIGHT_GATEWAY, there is never an "ICMP reply" was
> seen on the wire.
> 
> Note that "AH+ESP" is ambiguous. ESP contains
> some AH-like constructs, but "AH+ESP" (something
> you can mistakenly
> configure with racoon/ipsec-tools) is something you should
> never do.
> 
> > Considering "auth=esp" works fine, and the
> only change I made is to change "esp" to
> "ah", does that mean "auth=ah" mode is
> not working under 2.4.12 release?
> 
> I guess that might be the case. I think there is some open
> bug report on ah not working with auto= and only
> with manual=.
> 
> Paul


More information about the Users mailing list