Paul,<br>Thank a lot for your quick response.<br><br>I am now learning the kernel code and i thought about this AH and ESP as a way of using stackable dst entries. Maybe i should have started with this: Is there a way to use libreswan so the skb dst will be a linked list of 3 elements? As i undrstand, when working with only Esp there are 2 elements im each dst list<br>
Regards<br>David<br><br><br><br><br>On Tuesday, August 13, 2013, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br>> On Tue, 13 Aug 2013, David Shwatrz wrote:<br>><br>>> How should I configure /etc/ipsec.conf so that i will have both AH and ESP in an ipsec session ?<br>
><br>> That is a non-standard configuration that should not be used. I am not<br>> sure if the man page is correct, but you can try ah+esp:<br>><br>> phase2<br>> Sets the type of SA that will be produced. Valid options are:<br>
> esp for encryption (the default), ah for authentication only,<br>> and ah+esp for nested AH+ESP. Note that ESP already includes<br>> AH - the ah+esp option is for double ah headers, and should<br>
> only be used when connecting to some racoon configurations<br>> that do this.<br>><br>><br>> Paul<br>>