From owner-freebsd-net Sun Jul 8 17:20:48 2001 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id C5F2F37B401 for ; Sun, 8 Jul 2001 17:20:45 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id 9B4C34B21; Mon, 9 Jul 2001 09:20:43 +0900 (JST) To: Motonori Shindo Cc: freebsd-net@FreeBSD.ORG In-reply-to: mshindo's message of Mon, 09 Jul 2001 01:51:10 +0900. <20010709.015110.52175108.mshindo@mshindo.net> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Tunnel Mode AH From: itojun@iijlab.net Date: Mon, 09 Jul 2001 09:20:43 +0900 Message-ID: <3919.994638043@itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Even if the policy is specified as "required", it looks (at least, to >me) that SA (destination address, Security Protocol(AH/ESP), and SPI) >is properly established. I don't see anything that can prevent it from >working if the policy is specified as 'require'. > >Will anybody here help me understand this? IKE is not the issue, SA establishment is not the issue. the issue bites you when you actually receive AH tunnel packet which matches "require" policy (inbound). they will get rejected. we (KAME) are at this moment using 1-bit mbuf flag to remember which mbuf is authenticated or not. this way, we cannot handle tunelled AH case. check out the latest manpage for a little bit better description: http://www.kame.net/dev/cvsweb.cgi/kame/kame/kame/man/man4/ipsec.4 itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message