From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: ipsec patches test: minor compilation and policy match issues Date: Wed, 28 Apr 2004 02:30:12 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <408EFB14.3040906@trash.net> References: <20040415212034.GE7611@obs.bg> <407FE99D.6010100@trash.net> <20040424101748.GB23401@obs.bg> <19797.1083092339@marajade.sandelman.ottawa.on.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org Return-path: To: Michael Richardson In-Reply-To: <19797.1083092339@marajade.sandelman.ottawa.on.ca> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Michael Richardson wrote: >>>>>>"Ivan" == Ivan Mitev writes: > > Ivan> i tried to use the ipsec policy for a transport mode, AH+ESP, > Ivan> but i don't manage to get it working (ie pkts are not matched > Ivan> by the ipsec policy rule) however AH or ESP alone work fine. > > Ivan> btw, maybe no one uses AH + ESP, but that's only a test... > > There is really no point in mixing them. > ESP in RFC2401 IPsec (vs 1827) provides authentication. You're right, especially no one uses AH tunnel + ESP tunnel, but Linux supports it, so testing these cases is at least at important as testing the common cases, because bugs in common setups are likely to show up soon. Regards Patrick