#35 ESP and AH in tunnel , without double authentication

racoon
closed
nobody
5
2009-01-16
2006-08-12
tooti
No

I want to establish a connection between 2 peers and
use Racoon to secure this flow ,the security policy is
to use both ESP and AH protocols in tunnel mode :

the router of our network needs the authentication data
in the header of the packet , so the AH protocol
should be used for authentication (because ESP
authentication data is in the trailer part of the ESP
packet) , and also ESP protocol is needed for
encryption ,

this is the part of setkey.conf to obviate this goal:

spdadd 10.10.10.132 10.10.10.145 any -P in ipsec esp/
tunnel/10.10.10.132-10.10.10.145/require ah/tunnel/10.
10.10.132-10.10.10.145/require;
spdadd 10.10.10.145 10.10.10.132 any -P out ipsec esp/
tunnel/10.10.10.145-10.10.10.132/require ah/tunnel/10.
10.10.145-10.10.10.132/require;

and the sainfo part of acoon.conf :

sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
#lifetime byte 1000 B; # B,KB,GB
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

now the problem occurs!

Racoon uses sainfo configuration for both ESP and AH
protocols and at first authenticates and encrypts data
at first due to ESP , and then authenticates all the
new data with AH protocol , so we will have double
authentication , one for ESP and one for AH .

is there a solution to force Racoon not to authenticate
data in ESP protocol but in AH ? I mean there should be
2 seperate sainfo configuration for ESP and AH
protocol.

Discussion

  • Nobody/Anonymous

    Logged In: NO

    try

    sainfo anonymous
    {
    ...
    authentication_algorithm non_auth, hmac_md5;
    ...
    }

     
  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks