Date: Mon, 09 Jul 2001 09:20:43 +0900 From: itojun@iijlab.net To: Motonori Shindo <mshindo@mshindo.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Tunnel Mode AH Message-ID: <3919.994638043@itojun.org> In-Reply-To: mshindo's message of Mon, 09 Jul 2001 01:51:10 %2B0900. <20010709.015110.52175108.mshindo@mshindo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>Even if the policy is specified as "required", it looks (at least, to >me) that SA (destination address, Security Protocol(AH/ESP), and SPI) >is properly established. I don't see anything that can prevent it from >working if the policy is specified as 'require'. > >Will anybody here help me understand this? IKE is not the issue, SA establishment is not the issue. the issue bites you when you actually receive AH tunnel packet which matches "require" policy (inbound). they will get rejected. we (KAME) are at this moment using 1-bit mbuf flag to remember which mbuf is authenticated or not. this way, we cannot handle tunelled AH case. check out the latest manpage for a little bit better description: http://www.kame.net/dev/cvsweb.cgi/kame/kame/kame/man/man4/ipsec.4 itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3919.994638043>