[strongSwan] Questions regarding AH protocol usage

Mohit Mehta mohit.mehta at vyatta.com
Sun Apr 11 01:52:31 CEST 2010

Hi Andreas,

Thanks again for your prompt reply - much appreciated. Please see my comments/response below.

> >
> AH without ESP is not possible with the IKEv1 pluto daemon.
> With auth=ah, the optional ESP authentication checksum is replaced
> by an additional AH header.

Does this mean that 'AH authentication replaces authentication in ESP' or does it mean that 'in addition to ESP authentication, AH authentication also happens'? Can you please clarify this please since I'm not sure how to interpret 'replaced by an additional AH header' in your reply :-)

> As mentioned above, the AH implementation dates back to early
> FreeS/WAN times (about 10 years ago) and AH never has been
> wholeheartedly supported. Thus it is no surprise that some aspects
> of AH might be broken. 

Thanks for the red flag there.

> Our new IKEv2 charon daemon does not support
> AH at all since we don't see any need for it. But if you are
> interested in sponsoring some AH development then we would be
> willing to do it.

As of now, we haven't integrated IKEv2 functionality of Strongswan into Vyatta, so getting AH in IKEv2 doesn't seem like a priority here. In any case that's not a decision I can make since I'm just a developer and not really calling the shots here :-)


More information about the Users mailing list