Dan McDonald wrote: > On Wed, May 02, 2007 at 01:00:30AM -0700, UNIX admin wrote: >>> ESP has the capability for using authentication on >>> its encapsulated payload. >>> It makes AH *mostly* redundant. You should specify >>> *either* ESP >>> authentication or AH. >> OK, how can I check whether I'm using ESP with auth? > > If you're already protecting traffic with ESP, utter (with privilege): > > ipseckey dump esp | egrep "AKY:|Authentication" > > If you see output, then you're using ESP authentication. >
From a practical perspective, the rule syntax is very subtle. encr_algs aes encr_auth_algs sha1 will use ESP with AES encryption and SHA1 authentication. encr_algs aes auth_algs sha1 uses ESP with AES encryption, AH with SHA1 authentication, incompatible with NAT. It's a common nuance that people sometimes miss. Thanks, Paul
