when I use authentication only (auth=ah) behind a NAT router, I can build the tunnel but can't ping or send any packet from one subnet to another.
NAT-T is incompatible with AH, by design. The IETF workgroup writes:
Since the AH header incorporates the IP source and destination addresses in the keyed message integrity check, NAT or reverse NAT devices making changes to address fields will invalidate the message integrity check. Since IPsec ESP [4] does not incorporate the IP source and destination addresses in its keyed message integrity check, this issue does not arise for ESP.
(http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt)
In other words, NAT-T wants to change the packet, while AH was invented to not allow this.
Jacco -- Jacco de Leeuw mailto:[EMAIL PROTECTED] Zaandam, The Netherlands http://www.jacco2.dds.nl When nature calls, you better accept the charges.
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
