[ER] Any chance of seeing RFC 2410 NULL cypher for IPSec/ESP?

rcfa · May 30, 2012, 8:04 AM

Subject says it all…
...theoretically not a difficult thing not to encrypt something, but if the IPSec implementation doesn't support that, it's a problem, otherwise it's just a GUI checkbox and a couple of lines of script code.

Guest · May 28, 2012, 7:48 PM

Hm, didnt read the spec, but would null cipher support help with our issues wt l2tp on MacOS ?
Maybe it would be acceptable to support cleartext auth, but this would only help for testing things i think…
I have an older g4 wt osX in my garage, i can help testing with this machine if someones interested to get strong auth working.

rcfa · May 28, 2012, 9:20 PM

Well, it helps with cases like mine where one would like to use AH instead of ESP, but AH breaks when NAT is involved, and ESP with a NULL cipher doesn't break in these cases.
So in essence, ESP with NULL cipher is kind-of like a more robust AH.

Not sure if it would help with the L2TP over IPSec issue, although there are some reports of L2TP over IPSec working between Windows and pfSense: http://www.administrator.de/Pfsense_L2TP_over_IPSec.html
(Kind of a longish discussion of problems with an eventual solution, although in German, so for most people around here not very understandable…)
I have to check out their approach and see if I can make it work with the Mac, although likely only after I can funnel my network though something else than an IPSec link, because with a remote net of 0.0.0.0/0 IPSec gobbles up indiscriminately all my traffic, so another IPSec link may collide there...

Guest · Jun 1, 2012, 9:14 AM

Hey thank you for the link :) Im going to pull out my goodold mac for this!
After all we will (hoperfully) have less nat in the future, so it will be easier with such configurations.
hanD!