[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-ipv6
Subject:    Re: AH and ESP over IPv6
From:       naddy () mips ! inka ! de (Christian Weisgerber)
Date:       2009-01-25 21:55:13
Message-ID: glin41$2m8o$1 () lorvorc ! mips ! inka ! de
[Download RAW message or body]

Fortunato <fortunato.montresor@earthlink.net> wrote:

> I'm trying to use IKE to have IPsec use both AH and ESP in transport
> mode between two IPv6 OpenBSD 4.4 hosts.
> 
> I can get AH Transport mode or ESP Transport mode but I don't quite know
> how to do both AH and ESP. Any ideas?

You cannot do this with ipsecctl.  I don't know if it is possible
to set this up with isakmpd.conf.

In fact, ipsecctl does not provide a way to set up an SA bundle for
static keying, which used to be possible with ipsecadm.

> Therefore my follow up question is, "Is there a way to turn
> off the optional ESP authentication in OpenBSD?" 

From a quick glance at netinet/ip_esp.c, I think it is possible to
set up an ESP SA without authentication, but no userland tool
supports this.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de

[prev in list] [next in list] [prev in thread] [next in thread]