From owner-freebsd-net@FreeBSD.ORG Fri Apr 9 13:45:15 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80F4D16A4CE for ; Fri, 9 Apr 2004 13:45:15 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 433DA43D46 for ; Fri, 9 Apr 2004 13:45:15 -0700 (PDT) (envelope-from rzhou@ISI.EDU) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id i39KiPN05865; Fri, 9 Apr 2004 13:44:25 -0700 (PDT) Date: Fri, 9 Apr 2004 13:44:25 -0700 (PDT) From: Runfang Zhou To: freebsd-net@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-ISI-4-28-6-MailScanner: Found to be clean X-MailScanner-From: rzhou@isi.edu cc: xbone@ISI.EDU Subject: IPsec in Freebsd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 20:45:15 -0000 In RFC 2401: "For transport mode SAs, only one ordering of security protocols seems appropriate. AH is applied to both the upper layer protocols and (parts of) the IP header. Thus if AH is used in a transport mode, in conjunction with ESP, AH SHOULD appear as the first header after IP, prior to the appearance of ESP. " IPsec in FreeBSD is not implemented as the above. When we use spdadd x.x.x.x x.x.x.x any -P out ipsec ah/transport/10.0.0.50-10.200.1.10/require esp/transport/10.0.0.50-10.200.1.10/require; AH will not appear in outgoing IP packet from 10.0.0.50 to 10.200.1.10, only ESP appears.