[strongSwan] Questions regarding AH protocol usage

Mohit Mehta mohit.mehta at vyatta.com
Fri Apr 9 23:56:52 CEST 2010

Hi Everyone,

I am a developer at Vyatta [ http://www.vyatta.org/ ] and I would like to start by thanking and congratulating the Strongswan developers and community for building this robust and stable software. With release Vyatta Core 6.0 which happened last week, we've integrated Strongswan for providing the VPN functionality in Vyatta and so far the experience has been excellent. Also, thanks to the community for helping me out with the few questions I posted here previously while I was integrating Strongswan into Vyatta :-) 

OK, now let me get started with some questions I've had trying to figure out how to use AH protocol with Strongswan :

1. Am I right in assuming that with Strongswan, AH can only be used in conjunction with ESP i.e. when 'auth=ah' is used in the config file, authentication will happen first using the checksum in AH header and then using the checksum in ESP payload? In other words, I cannot just have AH and not use ESP? Atleast this post from Andreas seems to suggest so - https://lists.strongswan.org/pipermail/users/2005-August/000930.html That post was some time ago and I wanted to confirm if that's still true.

2. If point 1. is indeed true and also, if the AH hash algorithm used is the one mentioned in 'esp=' line then I would think 'ah=hash-name' parameter mentioned in the man page is redundant?
In fact, when I tried using that parameter as 'ah=hmac-md5', I got the following errors on start-up :

Starting strongSwan 4.3.2 IPsec [starter]...
/etc/ipsec.conf:43: unknown keyword 'ah' [hmac-md5]
unable to start strongSwan -- fatal errors in config

3. Lastly :-) if we indeed cannot use AH without using ESP and if I wanted to turn off encryption by specifying  'esp=null-sha1!' then I'd imagine only authentication would happen in both AH and ESP. I can see that turning off encryption is possible  as mentioned here http://www.strongswan.org/uml/testresults43/ikev1/esp-alg-null/ and I see that works. However, if used in conjunction with 'auth=ah', this doesn't seem to work. Here's the output from `ipsec statusall` :

000 "peer-":; unrouted; eroute owner: #0
000 "peer-":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "peer-":   policy: PSK+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP; prio: 32,32; interface: eth1;
000 "peer-":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "peer-":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536
000 #2: "peer-" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 14s
000 #1: "peer-" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27791s; newest ISAKMP

So, as you can see the ESP proposal isn't even seen in the output now. My question is this even supposed to work or is this a bug?

I would really appreciate any response helping with these questions.


More information about the Users mailing list