If ESP does not decrypt, the payload is invalid. Adding AH adds no further functionality other than to thwart any attempts at NAT. -- Todd Fries .. t...@fries.net
_____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have: | On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries <t...@fries.net> wrote: | | > The other answer is, ESP provides AH, therefore AH is deprecated. | | | What do you mean? That OpenBSD's implementation of ESP automatically uses AH | too? (payload inside AH inside ESP?) Because ESP only provides | authentication for the payload only but not for the IP header. That's why AH | is useful. | | Unless you really really want to play with AH to verify it works and such | > (which the below suggests it does not) ... | > -- | > Todd Fries .. t...@fries.net | > | > _____________________________________________ | > | \ 1.636.410.0632 (voice) | > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | > | "..in support of free software solutions." \ 250797 (FWD) | > | \ | > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | > | > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A | > http://todd.fries.net/pgp.txt | > | > Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: | > | On Tue, Dec 30, 2008 at 9:29 PM, <fortunato.montre...@earthlink.net> | > wrote: | > | | > | > I'm trying to use both AH and ESP to setup IPsec using Transport mode | > | > between two IPv6 OpenBSD 4.4 hosts. | > | > | > | > So far it worked for AH Transport mode or ESP Transport mode but I | > don't | > | > quite know how to do both AH and ESP. Any ideas? | > | > | > | > Here's a snippet from /etc/ipsec.conf : | > | > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" | > | > | > | > The tried the following (and vice versa - ah vice esp). | > | > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" | > | > flow ah from 2001::10 to 2001::5 | > | > | > | > I'm not sure either. | > | | > | Since you can apply ESP then AH, or apply AH and then ESP (depending on | > | what's more important for you, the digital signature or the encryption) | > it's | > | not obvious to me how to do it. | > | | > | -- | > | http://www.felipe-alfaro.org/blog/disclaimer/ | > | | | | -- | http://www.felipe-alfaro.org/blog/disclaimer/
