[Openswan Users] I want to know the ipsec.config for AH+ESP or AH only

Paul Wouters paul at xelerance.com
Thu Jun 18 09:25:49 EDT 2009

On Thu, 18 Jun 2009, 서동욱 wrote:

> During test, I had a question about AH+ESP or AH only

AH+ESP is not supported, as it makes no sense. Only manual setkey
commands or broken IKE daemons let you setup the double header. Openswan
does not allow it.

> I did test with this option("auth=ah" or "phase2=ah, phase2=md5")
> the isakmp session was establisehd but IPsec sa wasn't established.

auth=ah or phase2=ah should work, but we are not testing AH regularly,
so there might be a problem there. You are more likely to be lucky
using esp=null.

Both AH and manual keying are not really used, and candidates for
removal from Openswan. Hence, these options are not very well tested
or maintained.


More information about the Users mailing list