[Swan] AH and ESP

Paul Wouters paul at nohats.ca
Tue Aug 13 01:23:06 EEST 2013


On Tue, 13 Aug 2013, David Shwatrz wrote:

> How should I configure /etc/ipsec.conf so that i will have both AH and ESP in an ipsec session ?

That is a non-standard configuration that should not be used. I am not
sure if the man page is correct, but you can try ah+esp:

       phase2
            Sets the type of SA that will be produced. Valid options are:
            esp for encryption (the default), ah for authentication only,
            and ah+esp for nested AH+ESP. Note that ESP already includes
            AH - the ah+esp option is for double ah headers, and should
            only be used when connecting to some racoon configurations
            that do this.


Paul


More information about the Swan mailing list