Will H. Backman writes: > According to http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html, > there are some problems with certain IPSec configurations.
RFC 2406 which describes ESP says in the introduction :- ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. ... Confidentiality may be selected independent of all other services. However, use of confidentiality without integrity/authentication (either in ESP or separately in AH) may undermine the confidentiality service (see [Bel96]). That last sentence is there for a reason. > Looks like you always need to use the -auth flag with the -enc flag with > ipsecadm when setting up esp. > > Should the man pages include these warnings? See the bottom of the ipsec(4) manual page :- There's a lot more to be said on this subject. This is just a beginning. In the meantime the default isakmpd/vpn configuration sets up ESP with SHA for authentication and the examples in the ipsecadm page use encryption with authentication. So, a user has to deviate from the defaults to be vulnerable to the aformentioned problem when using IPsec under OpenBSD.
