IPsec AH enabled by default?
Because in theory, AH header will protect the outlier IP header, and because my office use NAT, the outlier IP header (source IP) would be modified by the external ethernet iptables, so would the AH function function normally?
If so, how does the strongSwan figure the issue of NATP? I mean, multiple private addresses are translated to a single public IP. In condition where no IPsec is deployed, NATP maps the inner source IP and inner source port to external IP and external source port. But with IPsec enabled, the there is no outlier TCP or UDP header, so what to do next?
#2 Updated by Tobias Brunner 11 days ago
- Tracker changed from Feature to Issue
- Status changed from New to Feedback
- Start date deleted (
- Affected version set to 5.7.2
so would the AH function function normally?
No, AH does not work over NATs (which the page you refer to clearly explains in the section "AH and NAT — Not Gonna Happen").
#5 Updated by Tom Hsiung 11 days ago
Although ESP provides the protection for inner IP header, the new outlier header is not protected by ESP. I think Stongswan is easy to deploy and configured, if to provide me with detail support document. I chose IPsec for the reasons of network security, so optimally, both AH and ESP are needed.
Can Stongswan provide both AH and ESP? Although for me the AH is impossible at now.
#7 Updated by Tom Hsiung 11 days ago
According to my ipsec.conf configuration, ESP is enabled, right?