IPSec without AH

Erik Norgaard norgaard at locolomo.org
Sun Jan 23 08:57:03 PST 2005

J65nko BSD wrote:
>>Ofcourse, it requires access to the (public?) keys to create valid
>>encrypted packets. Hence, if the public key is kept as a shared secret
>>among the authorized users, one could assume that ESP packets are
>>This is my idea, discard AH, rely on ESP and assume that anyone capable
>>of producing decryptable packets must have access to the pre-shared
>>secret "public" key and hence authorized.
> Your are not the first to have this idea. The authors of "Secure
> Architectures with OpenBSD" already published this ;)

Dang! Why do someone always steal my ideas before I get them?

>>AH would work, if both ends were NATaware, such that the rigth src/dst
>>ip could be inserted in the header before checking. It just occured to
>>me that maybe this could be done by adding yet another IP/IP tunnel?
> OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html:
> "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)."
> Don't know how ling it would take to before this is supported by FreeBSD ;)

Interesting, I'll take a look at that - thanks.


Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list