Project

General

Profile

Issue #2919

IPsec AH enabled by default?

Added by Tom Hsiung 6 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.7.2
Resolution:
No change required

Description

Hello,

Because in theory, AH header will protect the outlier IP header, and because my office use NAT, the outlier IP header (source IP) would be modified by the external ethernet iptables, so would the AH function function normally?

If so, how does the strongSwan figure the issue of NATP? I mean, multiple private addresses are translated to a single public IP. In condition where no IPsec is deployed, NATP maps the inner source IP and inner source port to external IP and external source port. But with IPsec enabled, the there is no outlier TCP or UDP header, so what to do next?

Tom

History

#1 Updated by Tom Hsiung 6 months ago

See this figure for illustration (by http://www.unixwiz.net/techtips/iguide-ipsec.html).

#2 Updated by Tobias Brunner 6 months ago

  • Tracker changed from Feature to Issue
  • Status changed from New to Feedback
  • Start date deleted (12.02.2019)
  • Affected version set to 5.7.2

so would the AH function function normally?

No, AH does not work over NATs (which the page you refer to clearly explains in the section "AH and NAT — Not Gonna Happen").

#3 Updated by Tom Hsiung 6 months ago

Tobias Brunner wrote:

so would the AH function function normally?

No, AH does not work over NATs (which the page you refer to clearly explains in the section "AH and NAT — Not Gonna Happen").

OK. So by default Stongswan does not enable the AH function, right?

#4 Updated by Tobias Brunner 6 months ago

So by default Stongswan does not enable the AH function, right?

No, why would you think it does?

#5 Updated by Tom Hsiung 6 months ago

Although ESP provides the protection for inner IP header, the new outlier header is not protected by ESP. I think Stongswan is easy to deploy and configured, if to provide me with detail support document. I chose IPsec for the reasons of network security, so optimally, both AH and ESP are needed.

Can Stongswan provide both AH and ESP? Although for me the AH is impossible at now.

Tom

#6 Updated by Tobias Brunner 6 months ago

so optimally, both AH and ESP are needed.

That combination is not recommended (see e.g. RFC 8221).

Can Stongswan provide both AH and ESP?

No, only one or the other.

#7 Updated by Tom Hsiung 6 months ago

@conn %default
keyexchange=ikev2

conn roadwarrior
auto=add
compress=no
type=tunnel
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
leftsendcert=always
left=%any
leftcert=s1.pem
leftid=xxx.xxx.com
leftsubnet=0.0.0.0/0
right=%any
#rightauth=pubkey
rightauth=xxx
#rightcert=c1.pem
rightsourceip=x.x.1.0/24
rightid=%any
#rightsendcert=never

According to my ipsec.conf configuration, ESP is enabled, right?

Tom

#8 Updated by Tobias Brunner 6 months ago

Please read the documentation or man page.

#9 Updated by Tobias Brunner 3 months ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF