From owner-freebsd-net Sun Jul 8 9:50:51 2001 Delivered-To: freebsd-net@freebsd.org Received: from bear.mshindo.net (bear.mshindo.net [202.229.42.121]) by hub.freebsd.org (Postfix) with ESMTP id 508C537B401 for ; Sun, 8 Jul 2001 09:50:46 -0700 (PDT) (envelope-from mshindo@mshindo.net) Received: from localhost (pl095.nas911.n-yokohama.nttpc.ne.jp [210.139.55.95]) by bear.mshindo.net (8.11.1/8.11.1) with ESMTP id f68Ggxx37201 for ; Mon, 9 Jul 2001 01:42:59 +0900 (JST) (envelope-from mshindo@mshindo.net) Date: Mon, 09 Jul 2001 01:51:10 +0900 (JST) Message-Id: <20010709.015110.52175108.mshindo@mshindo.net> To: freebsd-net@FreeBSD.ORG Subject: Tunnel Mode AH From: Motonori Shindo X-Mailer: Mew version 1.95b122 on Emacs 20.7 / Mule 4.1 =?iso-2022-jp?B?KBskQjAqGyhCKQ==?= X-PGP-fingerprint: 06 B0 B1 A4 06 C1 6A 14 63 C0 D7 18 01 CD D9 83 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have a question regarding IPsec tunnel mode AH processing. ipsec(4) says: AH tunnel may not work as you might expect. If you configure ``require'' policy against AH tunnel for inbound, tunneled packets will be rejected. This is because AH authenticates encapsulating (outer) packet, not the encapsulated (inner) packet. I am seeing exactly what is explained in this paragraph; IKE (racoon) successfully establishes IPsec SA for both directions and packets get properly encapsulated (tunnel-mode AH) and sent to the peer but the peer looks rejecting the packet. If I change the parameter in the policy setting from 'required' to 'use', it works just fine. setkey(8) also says that: require means SA is required whenever the kernel deals with the packet. Even if the policy is specified as "required", it looks (at least, to me) that SA (destination address, Security Protocol(AH/ESP), and SPI) is properly established. I don't see anything that can prevent it from working if the policy is specified as 'require'. Will anybody here help me understand this? Regards, =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= +----+----+ |.. .| | Motonori Shindo |_~__| | | .. |~~_~| Sr. Systems Engineer | . | | CoSine Communications Inc. +----+----+ C o S i n e e-mail: mshindo@cosinecom.com Communications =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message