Hi all, I'm just learning about ipsec and have been able to setup a host to host tunnel using x509 certificates signed by a dummy CA.
In some of the documentation I've read I can see an iptables rule to allow AH protocol packets, and after some testing I've become a little confused about AH packets. For example, when I allow these in iptables and search for them via simple tcpdump command "tcpdump -n -i eth1 ah", I never seem to see them. Am I missing any option in the command? I can see lots of esp packets, but ne'er any a drop of ah. Another example, if I do not allow ah packets in my iptables, the tunnel still seems to work fine. Of course, the iptables allows udp 500, 4500 and protocol esp. I put the iptables -L output at the bottom of this email. Is ah really required in all scenarios or are there specific circumstances that ah packets really get used by ipsec? I noticed in the RHEL 6 Security Guide they say the AH requirement is uncommon, so I wonder if I don't need that rule. Thanks in advance for any guidance or explanation. V/r, Bryan Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT esp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp spt:isakmp dpt:isakmp ACCEPT udp -- anywhere anywhere udp spt:ipsec-nat-t dpt:ipsec-nat-t Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT esp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp spt:isakmp dpt:isakmp ACCEPT udp -- anywhere anywhere udp spt:ipsec-nat-t dpt:ipsec-nat-t
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan