AH and ESP over IPv6

Hello list,

I've been trying to to figure this out but it looks like I don't know enough about getting flows to get the following working.

I'm trying to use IKE to have IPsec use both AH and ESP in transport mode between two IPv6 OpenBSD 4.4 hosts.

I can get AH Transport mode or ESP Transport mode but I don't quite know how to do both AH and ESP. Any ideas?

Here's a snippet from /etc/ipsec.conf:

  ike esp transport from 2001::10 to 2001::5 psk "secret"

The tried the following:

  ike esp transport from 2001::10 to 2001::5 psk "secret"
  flow ah from 2001::10 to 2001::5

I'd like to avoid a discussion on the merits of AH versus ESP. AH is a required to provide authentication for the IPv6 header. ESP provides authentication but in the context of of integrity check value for the IPv6 payload not the IPv6 header.

Additionally from what I've read in the RFC, ESP authentication is optional. Therefore my follow up question is, "Is there a way to turn off the optional ESP authentication in OpenBSD?"

Thanks in advance

Fortunato <fortunato.montresor@...> wrote:

> I'm trying to use IKE to have IPsec use both AH and ESP in transport
> mode between two IPv6 OpenBSD 4.4 hosts.
>
> I can get AH Transport mode or ESP Transport mode but I don't quite know
> how to do both AH and ESP. Any ideas?

You cannot do this with ipsecctl.  I don't know if it is possible
to set this up with isakmpd.conf.

In fact, ipsecctl does not provide a way to set up an SA bundle for
static keying, which used to be possible with ipsecadm.

> Therefore my follow up question is, "Is there a way to turn
> off the optional ESP authentication in OpenBSD?"

From a quick glance at netinet/ip_esp.c, I think it is possible to
set up an ESP SA without authentication, but no userland tool
supports this.

--
Christian "naddy" Weisgerber                          naddy@...