[Swan] libreswan ah+esp
Кузнецов Константин
kkuznetsov at web.1tv.ru
Thu Dec 1 15:26:13 UTC 2016
Yeah, im really sure that i need AH+ESP. AH provides another level of
integrity check, at least it does not not let to change IP src,dst or
some ip header values.
I did manage to make it work but only with IKEv1. When i prompt
ikev2=insist, then it stucks in this messages:
000 #1: "test-conf":500 STATE_PARENT_I1 (sent v2I1, expected v2R1);
EVENT_v2_RETRANSMIT in 22s; idle; import:local rekey
000 #1: pending Phase 2 for "test-conf" replacing #0
In tcpdump i see:
18:23:19.498595 IP remote-host.isakmp > local-host.isakmp: isakmp: phase
1 I ident
18:23:22.076667 IP remote-host.isakmp > local-host.isakmp: isakmp: phase
1 I ident
18:23:22.426342 IP local-host.isakmp > remote-host.isakmp: isakmp:
parent_sa ikev2_init[I]
18:23:22.498534 IP remote-host.isakmp > local-host.isakmp: isakmp: phase
1 I ident
18:23:25.076666 IP remote-host.isakmp > local-host.isakmp: isakmp: phase
1 I ident
18:23:28.076644 IP remote-host.isakmp > local-host.isakmp: isakmp: phase
1 I ident
------
WBR
Kuznetsov Konstantin, Engineer
e-mail: kkuznetsov at web.1tv.ru
mobile: +7 905 7111332
01.12.2016 16:46, Paul Wouters пишет:
> On Thu, 1 Dec 2016, Кузнецов Константин wrote:
>
>> Sorry, forget to mention that transport mode is using.
>
>> Hi! I have a Centos 6 and i REALLY NEED to make AH+ESP on
>> libreswan-3.15-5.3.el6.x86_64
>>
>> Is there any way to do it? I m trying to make 2 conf files one
>> fpr ah and one for esp and in this way only AH works, if i delete
>> ah.conf, then esp conf works perfectly. But both AH and ESP
>> does not work.
>
> If you provide two configurations with the only difference being
> type=esp versus type=ah, then you are creating two conflicting
> configurations and the result is undefined.
>
> People often mistakenly think they need AH+ESP. Libreswan does not
> support ESP without authentication, so it is always authenticated
> but it is not via AH+ESP. Only some very old racoon daemons are
> still known to use AH+ESP.
>
> So the important question is, are you really really sure you mean
> AH+ESP?
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161201/df52b713/attachment.html>
More information about the Swan
mailing list