Red Hat Bugzilla – Bug 435445
IPSec ifup script doesn't allow to leave AH transformation out
Last modified: 2008-02-29 10:16:13 EST
The ifup-ipsec script has the presence of AH transtormation hardcoded into
itself. Its presence is not configurable - it always generates policies that
contain both ESP and AH transformations.
This is bad for two reasons:
1) AH is superfluous in presence of ESP - ESP sufficiently serves both
authentication (like AH) and encryption
2) The set of transformations should be configurable since there might be
different combinations of them on the other side (e.g. Cisco hardware, othre
systems) and the policies need to match strictly on both sides in order for the
security association to be established.
I've also found this:
which corresponds to bug 251494. Seems like my bug is a duplicate of bug 251494,
which in addition contains a proposed fix to the scripts.
*** This bug has been marked as a duplicate of 251494 ***