Date: Fri, 9 Apr 2004 13:44:25 -0700 (PDT) From: Runfang Zhou <rzhou@ISI.EDU> To: freebsd-net@freebsd.org Cc: xbone@ISI.EDU Subject: IPsec in Freebsd Message-ID: <Pine.GSO.4.58.0404091334410.28695@boreas.isi.edu>
next in thread | raw e-mail | index | archive | help
In RFC 2401:
"For transport mode SAs, only one ordering of security protocols seems
appropriate. AH is applied to both the upper layer protocols and
(parts of) the IP header. Thus if AH is used in a transport mode, in
conjunction with ESP, AH SHOULD appear as the first header after IP,
prior to the appearance of ESP. "
IPsec in FreeBSD is not implemented as the above. When we use
spdadd x.x.x.x x.x.x.x any -P out ipsec
ah/transport/10.0.0.50-10.200.1.10/require
esp/transport/10.0.0.50-10.200.1.10/require;
AH will not appear in outgoing IP packet from 10.0.0.50 to 10.200.1.10,
only ESP appears.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.58.0404091334410.28695>