IPsec in Freebsd
Runfang Zhou
rzhou at ISI.EDU
Fri Apr 9 13:45:15 PDT 2004
In RFC 2401:
"For transport mode SAs, only one ordering of security protocols seems
appropriate. AH is applied to both the upper layer protocols and
(parts of) the IP header. Thus if AH is used in a transport mode, in
conjunction with ESP, AH SHOULD appear as the first header after IP,
prior to the appearance of ESP. "
IPsec in FreeBSD is not implemented as the above. When we use
spdadd x.x.x.x x.x.x.x any -P out ipsec
ah/transport/10.0.0.50-10.200.1.10/require
esp/transport/10.0.0.50-10.200.1.10/require;
AH will not appear in outgoing IP packet from 10.0.0.50 to 10.200.1.10,
only ESP appears.
More information about the freebsd-net
mailing list