Why no ESP-NULL?
-
I've got an application in mind where authentication and data integrity is important, but confidentiality not so much. I'd like to do IPSec without encryption.
I've tried setting up an AH tunnel, but without luck (subject of a different thread). The other option seems to be using the NULL encryption option:
http://www.ietf.org/rfc/rfc2410.txt
However, this isn't supported by pfSense.
Is there any particular reason?
-
If it's pfSense on both ends, we do support the null cipher in OpenVPN.
-
I did not know that. Unfortunately, it will not be pfSense on both ends, and on the non-pfSense end only IPSec will be possible.
-
Then AH would be what you'd be after then. I've never tried AH so I'm not sure on the particulars, but in theory it should do the job.
-
I am indeed after AH. Unfortunately, that hasn't been going terribly well :) (see the next thread down).
With respect to esp-null, I was just curious if there was a particular reason it hadn't been implemented, or if it just hadn't bubbled to the top.
Thanks!
-
Nobody has ever asked for esp-null to my knowledge, so it's probably lack of demand (and hence lack of funding or submitted code).
The use cases for it are pretty rare as well.
