Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158245 - Making AH optional for IPSec
Summary: Making AH optional for IPSec
Status: CLOSED DUPLICATE of bug 122452
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-19 20:18 UTC by Aleksandar Milivojevic
Modified: 2014-03-17 02:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2005-05-19 20:26:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
one way to do it (deleted)
2005-05-19 20:18 UTC, Aleksandar Milivojevic
no flags Details | Diff

Description Aleksandar Milivojevic 2005-05-19 20:18:37 UTC
Description of problem:
Hi Bill,

While solving some problems I had with IPSec, and looking around how other
people sovled them, I realized that many folks choose to use ESP only (no AH)
when building tunnels.  Also, according to IPSec HOWTO
(, AH is incompatible with NAT-traversal (only ESP
can be used with it).  Since ESP can also provide for packet authentication,
using AH should be configuration option.  Implementing this option could be a
step to having option for NAT-traversal in the future.

I've included a patch against initscripts 7.93.11 (ifup and ifdown).  Not tested
yet, just to show general idea.  The patch is simple, couple of if statments and
duplication of code.

If you find this option to be worth inclusion into the initscripts, I'll do the
testing, and resubmit patch (if needed).  I could also work on a bit more
complicated version of patch.  Basically, it would build "setkey" script in
temporary directory, and than execute it.  The code would look something like this:

cat > /tmp/blahblah <<EOF
#! /usr/sbin/setkey -f

blah blah

if [ -n "$USE_AH" ]; then
  cat >> /tmp/blahblah <<EOF
more blah blah

chmod 755 /tmp/blahblah
rm -f /tmp/blahblah

Or something similar to the above.  That would make ifup/ifdown-ipsec scripts
more managable as features are added in the future (no duplication of code).

So basically, let me know what you think about it...

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Aleksandar Milivojevic 2005-05-19 20:18:37 UTC
Created attachment 114591 [details]
one way to do it

Comment 2 Bill Nottingham 2005-05-19 20:26:27 UTC

*** This bug has been marked as a duplicate of 122452 ***

Note You need to log in before you can comment on or make changes to this bug.