On Sun, Apr 05, 2009 at 11:05:12AM -0700, Jean Paul Degabriele wrote:
> Hi I am trying to setup an IPsec VPN with AH in transport mode followed by
> ESP in tunnel mode. i.e the encapsulation is as follows: IP-ESP-IP-AH-ULP
You cannot do that on forwarded packets.
> In general all packets are being protected by ESP in tunnel mode, however
> AH is only being applied to packet originating from the local interface of
> one gateway to the local interface of the other gateway. Meaning that AH is
> not being applied to packets originating from machines on the local
> network.
That means things are working as designed.
> # AH transport mode
> {raddr 192.168.103.0/24} ipsec {auth_algs hmac-md5 sa shared}
That policy entry only applies to packets originating from or destined to the
node in question.
> # ESP Tunnel mode
> {tunnel ip.tun0 negotiate tunnel raddr 192.168.103.0/24 laddr
> 192.168.102.0/24} ipsec {encr_algs aes sa shared}
This one applies to any packet forwarded through ip.tun0.
The only way you can get AH + ESP on forwarded packets is to have:
IP + AH + ESP + [IP + data]
and you'd then need to lose the transport-mode entry, and add "auth_algs" to
the tunnel-mode entry.
Dan
