IPSec without AH

J65nko BSD j65nko at gmail.com
Sun Jan 23 05:36:17 PST 2005


On Sun, 23 Jan 2005 13:47:35 +0100, Erik Norgaard <norgaard at locolomo.org> wrote:
> Hi,
> 
> Due to the problems of IPSec with NAT I was thinking if it is posible to
> setup IPSec without Authenticated Headers? Does anyone know of a howto?
> 
> My postulate is that since data is encrypted, this should provide the
> same security as SSL/TLS - or better as _all_ protocols are encapsulated
> - or did I miss something?
> 
> Thanks, Erik

The AH (Authenticated Header) protocol cannot be used with NAT, NAT
modifies the header of packets, while AH is supposed to protect that
header from being modified. Another IPSEC protocol ESP (Encrypted
Security Payload), both authenticates and encrypts, and thus has no
problem with NAT traversal.

BTW I am not an IPSEC expert, just scratched its surface a little bit ;)

=Adriaan=


More information about the freebsd-questions mailing list