On Fri, Jan 2, 2009 at 8:36 PM, <t...@fries.net> wrote: > If ESP does not decrypt, the payload is invalid. Adding AH adds no further > functionality other than to thwart any attempts at NAT.
AH is not meant to thwart any attempts at NAT. For that, you have IPSec over UDP. AH prevents any tampering with the IP header, which can be very useful. > > -- > Todd Fries .. t...@fries.net > > _____________________________________________ > | \ 1.636.410.0632 (voice) > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) > | "..in support of free software solutions." \ 250797 (FWD) > | \ > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > http://todd.fries.net/pgp.txt > > Penned by Felipe Alfaro Solana on 20090102 20:29.56, we have: > | On Fri, Jan 2, 2009 at 7:52 PM, Todd T. Fries <t...@fries.net> wrote: > | > | > The other answer is, ESP provides AH, therefore AH is deprecated. > | > | > | What do you mean? That OpenBSD's implementation of ESP automatically uses > AH > | too? (payload inside AH inside ESP?) Because ESP only provides > | authentication for the payload only but not for the IP header. That's why > AH > | is useful. > | > | Unless you really really want to play with AH to verify it works and such > | > (which the below suggests it does not) ... > | > -- > | > Todd Fries .. t...@fries.net > | > > | > _____________________________________________ > | > | \ 1.636.410.0632 (voice) > | > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) > | > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) > | > | "..in support of free software solutions." \ 250797 (FWD) > | > | \ > | > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > | > > | > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A > | > http://todd.fries.net/pgp.txt > | > > | > Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: > | > | On Tue, Dec 30, 2008 at 9:29 PM, <fortunato.montre...@earthlink.net> > | > wrote: > | > | > | > | > I'm trying to use both AH and ESP to setup IPsec using Transport > mode > | > | > between two IPv6 OpenBSD 4.4 hosts. > | > | > > | > | > So far it worked for AH Transport mode or ESP Transport mode but I > | > don't > | > | > quite know how to do both AH and ESP. Any ideas? > | > | > > | > | > Here's a snippet from /etc/ipsec.conf : > | > | > > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > | > > | > | > The tried the following (and vice versa - ah vice esp). > | > | > > | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" > | > | > flow ah from 2001::10 to 2001::5 > | > | > > | > | > I'm not sure either. > | > | > | > | Since you can apply ESP then AH, or apply AH and then ESP (depending > on > | > | what's more important for you, the digital signature or the > encryption) > | > it's > | > | not obvious to me how to do it. > | > | > | > | -- > | > | http://www.felipe-alfaro.org/blog/disclaimer/ > | > > | > | > | > | -- > | http://www.felipe-alfaro.org/blog/disclaimer/ > -- http://www.felipe-alfaro.org/blog/disclaimer/
