Re: [Swan] libreswan ah+esp
Yeah, im really sure that i need AH+ESP. AH provides another level of integrity check, at least it does not not let to change IP src,dst or some ip header values. I did manage to make it work but only with IKEv1. When i prompt ikev2=insist, then it stucks in this messages: 000 #1: "test-conf":500 STATE_PARENT_I1 (sent v2I1, expected v2R1); EVENT_v2_RETRANSMIT in 22s; idle; import:local rekey 000 #1: pending Phase 2 for "test-conf" replacing #0 In tcpdump i see: 18:23:19.498595 IP remote-host.isakmp > local-host.isakmp: isakmp: phase 1 I ident 18:23:22.076667 IP remote-host.isakmp > local-host.isakmp: isakmp: phase 1 I ident 18:23:22.426342 IP local-host.isakmp > remote-host.isakmp: isakmp: parent_sa ikev2_init[I] 18:23:22.498534 IP remote-host.isakmp > local-host.isakmp: isakmp: phase 1 I ident 18:23:25.07 IP remote-host.isakmp > local-host.isakmp: isakmp: phase 1 I ident 18:23:28.076644 IP remote-host.isakmp > local-host.isakmp: isakmp: phase 1 I ident -- WBR Kuznetsov Konstantin, Engineer e-mail: kkuznet...@web.1tv.ru mobile: +7 905 7111332 01.12.2016 16:46, Paul Wouters пишет: On Thu, 1 Dec 2016, Кузнецов Константин wrote: Sorry, forget to mention that transport mode is using. Hi! I have a Centos 6 and i REALLY NEED to make AH+ESP on libreswan-3.15-5.3.el6.x86_64 Is there any way to do it? I m trying to make 2 conf files one fpr ah and one for esp and in this way only AH works, if i delete ah.conf, then esp conf works perfectly. But both AH and ESP does not work. If you provide two configurations with the only difference being type=esp versus type=ah, then you are creating two conflicting configurations and the result is undefined. People often mistakenly think they need AH+ESP. Libreswan does not support ESP without authentication, so it is always authenticated but it is not via AH+ESP. Only some very old racoon daemons are still known to use AH+ESP. So the important question is, are you really really sure you mean AH+ESP? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] libreswan ah+esp
On Thu, 1 Dec 2016, Кузнецов Константин wrote: Sorry, forget to mention that transport mode is using. Hi! I have a Centos 6 and i REALLY NEED to make AH+ESP on libreswan-3.15-5.3.el6.x86_64 Is there any way to do it? I m trying to make 2 conf files one fpr ah and one for esp and in this way only AH works, if i delete ah.conf, then esp conf works perfectly. But both AH and ESP does not work. If you provide two configurations with the only difference being type=esp versus type=ah, then you are creating two conflicting configurations and the result is undefined. People often mistakenly think they need AH+ESP. Libreswan does not support ESP without authentication, so it is always authenticated but it is not via AH+ESP. Only some very old racoon daemons are still known to use AH+ESP. So the important question is, are you really really sure you mean AH+ESP? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] libreswan ah+esp
Sorry, forget to mention that transport mode is using. -- WBR Kuznetsov Konstantin, Engineer e-mail: kkuznet...@web.1tv.ru mobile: +7 905 7111332 01.12.2016 14:14, Кузнецов Константин пишет: Hi! I have a Centos 6 and i REALLY NEED to make AH+ESP on libreswan-3.15-5.3.el6.x86_64 Is there any way to do it? I m trying to make 2 conf files one fpr ah and one for esp and in this way only AH works, if i delete ah.conf, then esp conf works perfectly. But both AH and ESP does not work. -- -- WBR Kuznetsov Konstantin, Engineer e-mail:kkuznet...@web.1tv.ru mobile: +7 905 7111332 ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan] libreswan ah+esp
Hi! I have a Centos 6 and i REALLY NEED to make AH+ESP on libreswan-3.15-5.3.el6.x86_64 Is there any way to do it? I m trying to make 2 conf files one fpr ah and one for esp and in this way only AH works, if i delete ah.conf, then esp conf works perfectly. But both AH and ESP does not work. -- -- WBR Kuznetsov Konstantin, Engineer e-mail: kkuznet...@web.1tv.ru mobile: +7 905 7111332 ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan