Hi,
>
> I try to setup IPSec with ESP + tunnel AH between host-to-host in
> OpenBSD,
> but fail to do so. Two hosts are PC openbsd1 to openbsd15.
> openbsd1: 192.3.20.238
> openbsd15: 192.3.40.55
>
> When I ping from openbsd1 to openbsd15 and there is no reply from
> openbsd1;
> packet from openbsd1 to openbsd15 sniffed from ethereal is
> [IP | AH | IP | ESP | data ]
>
> When I ping from openbsd15 to openbsd1, there is reply from openbsd1 as
> shown
> by Ethereal software, but ping command doesn't print any reply packet.
> Ethereal sniff:
> >From openbsd15: [IP | ESP | data ]
> >From openbsd1: [IP | AH | IP | ESP | data ]
>
> Can I have ESP + tunnel AH in host-to-host setup??
>
> My Configuration files are following;
> [In openbsd1, isakmpd.policy file:]
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
> $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
> Authorizer: "POLICY"
> Licensees: "passphrase:mekmitasdigoat"
> Conditions: app_domain == "IPsec policy" -> "true";
>
> [In openbsd1, isakmpd.conf file:]
> # $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
> # $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $
>
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
> daemon.
>
> [Phase 1]
> 192.3.40.55 = ISAKMP-peer-open15
>
> [Phase 2]
> Connections= IPsec-open15
>
>
> [ISAKMP-peer-open15]
> Phase= 1
> Transport= udp
> Address= 192.3.40.55
> Configuration= Default-main-mode
> Authentication= mekmitasdigoat
>
> [IPsec-open15]
> Phase= 2
> ISAKMP-peer= ISAKMP-peer-open15
> Configuration= Default-quick-mode
> Local-ID= Net-open1
> Remote-ID= Net-open15
>
>
> [Net-open1]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.3.20.238
> Netmask= 255.255.255.255
>
> [Net-open15]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.3.40.55
> Netmask= 255.255.255.255
>
>
> [Default-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-MD5
>
> [3DES-SHA]
> ENCRYPTION_ALGORITHM= 3DES_CBC
> HASH_ALGORITHM= SHA
> AUTHENTICATION_METHOD= PRE_SHARED
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> [3DES-MD5]
> ENCRYPTION_ALGORITHM= 3DES_CBC
> HASH_ALGORITHM= MD5
> AUTHENTICATION_METHOD= PRE_SHARED
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> [Default-quick-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> #Suites= QM-ESP-3DES-SHA-SUITE
> #Suites= QM-ESP-3DES-MD5-SUITE
> #Suites= QM-AH-MD5-ESP-DES-SUITE
> Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE
>
> # Quick mode protection suites
> ##############################
> # 3DES
> # [QM-AH-MD5-ESP-3DES-MD5-SUITE]
> [QM-ESP-3DES-MD5-AH-MD5-SUITE]
> Protocols= QM-ESP-3DES-MD5,QM-AH-MD5
>
>
> # Quick mode protocols
> #############################
> # 3DES
> [QM-ESP-3DES-MD5]
> PROTOCOL_ID= IPSEC_ESP
> Transforms= QM-ESP-3DES-MD5-XF
>
> # AH
> [QM-AH-MD5]
> PROTOCOL_ID= IPSEC_AH
> Transforms= QM-AH-MD5-XF
>
> # Quick mode transforms
> #############################
> # 3DES
> [QM-ESP-3DES-MD5-XF]
> TRANSFORM_ID= 3DES
> ENCAPSULATION_MODE= TRANSPORT
> AUTHENTICATION_ALGORITHM= HMAC_MD5
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> # AH Transform
> [QM-AH-MD5-XF]
> TRANSFORM_ID= MD5
> ENCAPSULATION_MODE= TRANSPORT
> AUTHENTICATION_ALGORITHM= HMAC_MD5
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> [LIFE_3600_SECS]
> LIFE_TYPE= SECONDS
> LIFE_DURATION= 3600,1800:7200
>
>
>
>
> [In openbsd15, isakmpd.policy file:]
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
> $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
> Authorizer: "POLICY"
> Licensees: "passphrase:mekmitasdigoat"
> Conditions: app_domain == "IPsec policy" -> true;
>
> [In openbsd15, isakmpd.conf file:]
> # $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
> # $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $
>
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
> daemon.
>
> [Phase 1]
> 192.3.20.238= ISAKMP-open1
>
> [Phase 2]
> Connections= IPsec-svr-open1
>
> [ISAKMP-open1]
> Phase= 1
> Transport= udp
> Address= 192.3.20.238
> Configuration= Default-main-mode
> Authentication= mekmitasdigoat
>
> [IPsec-svr-open1]
> Phase= 2
> ISAKMP-peer= ISAKMP-rtu2
> Configuration= Default-quick-mode
> Local-ID= Net-open15
> Remote-ID= Net-open1
>
> [Net-open15]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.3.40.55
> Netmask= 255.255.255.255
>
> [Net-open1]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.3.20.238
> Netmask= 255.255.255.255
>
> [Default-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-MD5
>
> [Default-quick-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE
>
>
> [3DES-MD5]
> ENCRYPTION_ALGORITHM= 3DES_CBC
> HASH_ALGORITHM= MD5
> AUTHENTICATION_METHOD= PRE_SHARED
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> # Quick mode protection suites
> ##############################
> # ESP
> # ESP + AH
> # Work 1
> #[QM-AH-MD5-ESP-3DES-MD5-SUITE]
> [QM-ESP-3DES-MD5-AH-MD5-SUITE]
> Protocols= QM-ESP-3DES-MD5,QM-AH-MD5
>
> # Quick mode protocols
> #############################
> # 3DES-SHA
> [QM-ESP-3DES-MD5]
> PROTOCOL_ID= IPSEC_ESP
> Transforms= QM-ESP-3DES-MD5-XF
>
> # AH
> [QM-AH-MD5]
> PROTOCOL_ID= IPSEC_AH
> Transforms= QM-AH-MD5-XF
>
> # Quick mode transforms
> #############################
> # 3DES
> [QM-ESP-3DES-MD5-XF]
> TRANSFORM_ID= 3DES
> ENCAPSULATION_MODE= TUNNEL
> AUTHENTICATION_ALGORITHM= HMAC_MD5
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
>
> # AH Transform
> [QM-AH-MD5-XF]
> TRANSFORM_ID= MD5
> ENCAPSULATION_MODE= TUNNEL
> AUTHENTICATION_ALGORITHM= HMAC_MD5
> GROUP_DESCRIPTION= MODP_1024
> Life= LIFE_3600_SECS
>
> [LIFE_3600_SECS]
> LIFE_TYPE= SECONDS
> LIFE_DURATION= 3600,1800:7200
