Tunnel Mode AH
Hi, I have a question regarding IPsec tunnel mode AH processing. ipsec(4) says: AH tunnel may not work as you might expect. If you configure ``require'' policy against AH tunnel for inbound, tunneled packets will be rejected. This is because AH authenticates encapsulating (outer) packet, not the encapsulated (inner) packet. I am seeing exactly what is explained in this paragraph; IKE (racoon) successfully establishes IPsec SA for both directions and packets get properly encapsulated (tunnel-mode AH) and sent to the peer but the peer looks rejecting the packet. If I change the parameter in the policy setting from 'required' to 'use', it works just fine. setkey(8) also says that: require means SA is required whenever the kernel deals with the packet. Even if the policy is specified as "required", it looks (at least, to me) that SA (destination address, Security Protocol(AH/ESP), and SPI) is properly established. I don't see anything that can prevent it from working if the policy is specified as 'require'. Will anybody here help me understand this? Regards, =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= +++ |.. .|| Motonori Shindo |_~__|| | .. |~~_~| Sr. Systems Engineer | . || CoSine Communications Inc. +++ C o S i n e e-mail: [EMAIL PROTECTED] Communications =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: ng_bridge and altq
<[EMAIL PROTECTED]> wrote: > hi all...i just have one simple question. can altq work with ng_bridge if i > were to use both of it to bridge and shape traffic? currently i'm using > "options BRIDGE" in my kernel configuration and altq works flawlessly. i > haven't got the chance to play around with ng_bridge because it's a > production machine :( Unfortunately, ALTQ doesn't work with netgraph yet. -Kenjiro To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Tunnel Mode AH
>Even if the policy is specified as "required", it looks (at least, to >me) that SA (destination address, Security Protocol(AH/ESP), and SPI) >is properly established. I don't see anything that can prevent it from >working if the policy is specified as 'require'. > >Will anybody here help me understand this? IKE is not the issue, SA establishment is not the issue. the issue bites you when you actually receive AH tunnel packet which matches "require" policy (inbound). they will get rejected. we (KAME) are at this moment using 1-bit mbuf flag to remember which mbuf is authenticated or not. this way, we cannot handle tunelled AH case. check out the latest manpage for a little bit better description: http://www.kame.net/dev/cvsweb.cgi/kame/kame/kame/man/man4/ipsec.4 itojun To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
