[strongSwan] AH mode support in Strongswan for Ikev1

Simon Chan simon.chan3 at yahoo.ca
Mon May 28 22:32:53 CEST 2012

Hi Andreas,

Is AES-GMAC a recent addition to StrongSwan? Is it supported in version 4.4.1?
I searched for GMAC support earlier and found a post from you (back in 2009 I think) stating aes-gmac is not supported because the kernel does not support it and AH does not survive NAT-T.


----- Original Message ----- 
From: "Andreas Steffen" <andreas.steffen at strongswan.org>
To: "SaRaVanAn" <saravanan.nagarajan87 at gmail.com>
Cc: <users at lists.strongswan.org>
Sent: Monday, May 28, 2012 7:54 AM
Subject: Re: [strongSwan] [Strongswan] AH mode support in Strongswan for Ikev1


AH withouth ESP is not supported by strongSwan IKEv1 (which goes all
the way back to FreeS/WAN).

With auth=esp which is the default you opt for ESP encryption and ESP's
optional authentication mode.

With auth=ah you get ESP encryption withouth ESP's optional
authentication mode but you get AH on top of ESP instead.

If you don't want to encrypt your packets please use either
ESP NULL encryption






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120528/d2251b04/attachment.html>

More information about the Users mailing list