[Swan] tcpdump does not find AH packets

Bryan Harris bryanlharris at gmail.com
Tue Sep 20 17:37:42 UTC 2016 

Hi all,

I'm just learning about ipsec and have been able to setup a host to host
tunnel using x509 certificates signed by a dummy CA.

In some of the documentation I've read I can see an iptables rule to allow
AH protocol packets, and after some testing I've become a little confused
about AH packets.

For example, when I allow these in iptables and search for them via simple
tcpdump command "tcpdump -n -i eth1 ah", I never seem to see them.  Am I
missing any option in the command?  I can see lots of esp packets, but
ne'er any a drop of ah.

Another example, if I do not allow ah packets in my iptables, the tunnel
still seems to work fine.  Of course, the iptables allows udp 500, 4500 and
protocol esp.  I put the iptables -L output at the bottom of this email.

Is ah really required in all scenarios or are there specific circumstances
that ah packets  really get used by ipsec?  I noticed in the RHEL 6
Security Guide they say the AH requirement is uncommon, so I wonder if I
don't need that rule.

Thanks in advance for any guidance or explanation.

V/r,
Bryan



Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp
dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp
spt:ipsec-nat-t dpt:ipsec-nat-t

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp
dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp
spt:ipsec-nat-t dpt:ipsec-nat-t
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160920/f55e02b0/attachment.html>

More information about the Swan mailing list