[Openswan Users] auth=ah broken on 2.4.12 release?
David McCullough
David_Mccullough at securecomputing.com
Thu Sep 4 20:52:03 EDT 2008
Jivin austinxxh-ipsec at yahoo.com lays it down ...
> When I use "auth=ah", "ipsec spi" will show both ESP and AH, while I am expecting an AH-only. The tunnel is up but not bi-directional. A message here : http://osdir.com/ml/network.openswan.devel/2007-05/msg00001.html says it's expected, I don't really know why.
>
> If I replaced "auth=ah" with "auth=esp(default)", then adding "esp=3des-sha1", I only saw ESP, then adding one more line as "ah=hmac-md5-96", then I saw AH as well. In general I feel "auth=esp" works well. However I do not really know what "auth=ah" does in openswan and if it indeed works.
>
> I will try manual to see if "auth=ah" works at all.
Here is a config I used to test AH on an older 2.4 Openswan release
using OCF.
version 2
config setup
interfaces = "ipsec0=eth3"
klipsdebug = none
plutodebug = none
manualstart = test
uniqueids = yes
conn test
type = tunnel
leftsubnet = 192.168.0.0/24
left = 10.31.1.2
right = 10.31.1.1
spi = 0x101
ahkey = 0x4a923631_4d4b2a73_11b4fb88_633d40d9
ah = hmac-md5-96
Hope that helps,
Cheers,
Davidm
> --- On Thu, 9/4/08, Paul Wouters <paul at xelerance.com> wrote:
>
> > From: Paul Wouters <paul at xelerance.com>
> > Subject: Re: [Openswan Users] auth=ah broken on 2.4.12 release?
> > To: austinxxh-ipsec at yahoo.com
> > Cc: dev at openswan.org
> > Date: Thursday, September 4, 2008, 12:14 PM
> > On Wed, 3 Sep 2008, austinxxh-ipsec at yahoo.com wrote:
> >
> > > If I switch "auth=esp" to
> > "auth=ah" in ipsec.conf, all other settings stay
> > the same, the AH+ESP tunnel is set up correctly, however,
> > when I ping from PC1 to PC2, I can only observe "ICMP
> > request" from PC1 all the way to RIGHT_GATEWAY when I
> > run "tcpdump -i eth0" on LEFT_GATEWAY and
> > RIGHT_GATEWAY, there is never an "ICMP reply" was
> > seen on the wire.
> >
> > Note that "AH+ESP" is ambiguous. ESP contains
> > some AH-like constructs, but "AH+ESP" (something
> > you can mistakenly
> > configure with racoon/ipsec-tools) is something you should
> > never do.
> >
> > > Considering "auth=esp" works fine, and the
> > only change I made is to change "esp" to
> > "ah", does that mean "auth=ah" mode is
> > not working under 2.4.12 release?
> >
> > I guess that might be the case. I think there is some open
> > bug report on ah not working with auto= and only
> > with manual=.
> >
> > Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com
More information about the Users
mailing list