<![CDATA[Why no ESP-NULL?]]>I've got an application in mind where authentication and data integrity is important, but confidentiality not so much. I'd like to do IPSec without encryption.

I've tried setting up an AH tunnel, but without luck (subject of a different thread). The other option seems to be using the NULL encryption option:

http://www.ietf.org/rfc/rfc2410.txt

However, this isn't supported by pfSense.

Is there any particular reason?

]]>https://forum.netgate.com/topic/36704/why-no-esp-nullRSS for NodeMon, 15 Jun 2026 11:26:46 GMTFri, 26 Aug 2011 14:23:16 GMT60<![CDATA[Reply to Why no ESP-NULL? on Fri, 26 Aug 2011 15:13:30 GMT]]>Nobody has ever asked for esp-null to my knowledge, so it's probably lack of demand (and hence lack of funding or submitted code).

The use cases for it are pretty rare as well.

]]>https://forum.netgate.com/post/293350https://forum.netgate.com/post/293350Fri, 26 Aug 2011 15:13:30 GMT<![CDATA[Reply to Why no ESP-NULL? on Fri, 26 Aug 2011 15:11:56 GMT]]>I am indeed after AH. Unfortunately, that hasn't been going terribly well :) (see the next thread down).

With respect to esp-null, I was just curious if there was a particular reason it hadn't been implemented, or if it just hadn't bubbled to the top.

Thanks!

]]>https://forum.netgate.com/post/293349https://forum.netgate.com/post/293349Fri, 26 Aug 2011 15:11:56 GMT<![CDATA[Reply to Why no ESP-NULL? on Fri, 26 Aug 2011 15:09:26 GMT]]>Then AH would be what you'd be after then. I've never tried AH so I'm not sure on the particulars, but in theory it should do the job.

]]>https://forum.netgate.com/post/293347https://forum.netgate.com/post/293347Fri, 26 Aug 2011 15:09:26 GMT<![CDATA[Reply to Why no ESP-NULL? on Fri, 26 Aug 2011 15:07:20 GMT]]>I did not know that. Unfortunately, it will not be pfSense on both ends, and on the non-pfSense end only IPSec will be possible.

]]>https://forum.netgate.com/post/293345https://forum.netgate.com/post/293345Fri, 26 Aug 2011 15:07:20 GMT<![CDATA[Reply to Why no ESP-NULL? on Fri, 26 Aug 2011 15:05:47 GMT]]>If it's pfSense on both ends, we do support the null cipher in OpenVPN.

]]>https://forum.netgate.com/post/293344https://forum.netgate.com/post/293344Fri, 26 Aug 2011 15:05:47 GMT