Description of problem: Hi Bill, While solving some problems I had with IPSec, and looking around how other people sovled them, I realized that many folks choose to use ESP only (no AH) when building tunnels. Also, according to IPSec HOWTO (http://www.ipsec-howto.org/), AH is incompatible with NAT-traversal (only ESP can be used with it). Since ESP can also provide for packet authentication, using AH should be configuration option. Implementing this option could be a step to having option for NAT-traversal in the future. I've included a patch against initscripts 7.93.11 (ifup and ifdown). Not tested yet, just to show general idea. The patch is simple, couple of if statments and duplication of code. If you find this option to be worth inclusion into the initscripts, I'll do the testing, and resubmit patch (if needed). I could also work on a bit more complicated version of patch. Basically, it would build "setkey" script in temporary directory, and than execute it. The code would look something like this: cat > /tmp/blahblah <<EOF #! /usr/sbin/setkey -f blah blah EOF if [ -n "$USE_AH" ]; then cat >> /tmp/blahblah <<EOF more blah blah EOF fi chmod 755 /tmp/blahblah /tmp/blahblah rm -f /tmp/blahblah Or something similar to the above. That would make ifup/ifdown-ipsec scripts more managable as features are added in the future (no duplication of code). So basically, let me know what you think about it... Version-Release number of selected component (if applicable): 7.93.11 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 114591 [details] one way to do it
*** This bug has been marked as a duplicate of 122452 ***