Date: Mon, 09 Jul 2001 01:51:10 +0900 (JST) From: Motonori Shindo <mshindo@mshindo.net> To: freebsd-net@FreeBSD.ORG Subject: Tunnel Mode AH Message-ID: <20010709.015110.52175108.mshindo@mshindo.net>
next in thread | raw e-mail | index | archive | help
Hi, I have a question regarding IPsec tunnel mode AH processing. ipsec(4) says: AH tunnel may not work as you might expect. If you configure ``require'' policy against AH tunnel for inbound, tunneled packets will be rejected. This is because AH authenticates encapsulating (outer) packet, not the encapsulated (inner) packet. I am seeing exactly what is explained in this paragraph; IKE (racoon) successfully establishes IPsec SA for both directions and packets get properly encapsulated (tunnel-mode AH) and sent to the peer but the peer looks rejecting the packet. If I change the parameter in the policy setting from 'required' to 'use', it works just fine. setkey(8) also says that: require means SA is required whenever the kernel deals with the packet. Even if the policy is specified as "required", it looks (at least, to me) that SA (destination address, Security Protocol(AH/ESP), and SPI) is properly established. I don't see anything that can prevent it from working if the policy is specified as 'require'. Will anybody here help me understand this? Regards, =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= +----+----+ |.. .| | Motonori Shindo |_~__| | | .. |~~_~| Sr. Systems Engineer | . | | CoSine Communications Inc. +----+----+ C o S i n e e-mail: mshindo@cosinecom.com Communications =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010709.015110.52175108.mshindo>