#35 ESP and AH in tunnel , without double authentication


I want to establish a connection between 2 peers and
use Racoon to secure this flow ,the security policy is
to use both ESP and AH protocols in tunnel mode :

the router of our network needs the authentication data
in the header of the packet , so the AH protocol
should be used for authentication (because ESP
authentication data is in the trailer part of the ESP
packet) , and also ESP protocol is needed for
encryption ,

this is the part of setkey.conf to obviate this goal:

spdadd any -P in ipsec esp/
tunnel/ ah/tunnel/10.
spdadd any -P out ipsec esp/
tunnel/ ah/tunnel/10.

and the sainfo part of acoon.conf :

sainfo anonymous
pfs_group 2;
encryption_algorithm 3des;
#lifetime byte 1000 B; # B,KB,GB
authentication_algorithm hmac_md5;
compression_algorithm deflate;

now the problem occurs!

Racoon uses sainfo configuration for both ESP and AH
protocols and at first authenticates and encrypts data
at first due to ESP , and then authenticates all the
new data with AH protocol , so we will have double
authentication , one for ESP and one for AH .

is there a solution to force Racoon not to authenticate
data in ESP protocol but in AH ? I mean there should be
2 seperate sainfo configuration for ESP and AH


  • Nobody/Anonymous

    Logged In: NO


    sainfo anonymous
    authentication_algorithm non_auth, hmac_md5;

  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks