[ER] Any chance of seeing RFC 2410 NULL cypher for IPSec/ESP?



  • Subject says it all…
    ...theoretically not a difficult thing not to encrypt something, but if the IPSec implementation doesn't support that, it's a problem, otherwise it's just a GUI checkbox and a couple of lines of script code.



  • Hm, didnt read the spec, but would null cipher support help with our issues wt l2tp on MacOS ?
    Maybe it would be acceptable to support cleartext auth, but this would only help for testing things i think…
    I have an older g4 wt osX in my garage, i can help testing with this machine if someones interested to get strong auth working.



  • Well, it helps with cases like mine where one would like to use AH instead of ESP, but AH breaks when NAT is involved, and ESP with a NULL cipher doesn't break in these cases.
    So in essence, ESP with NULL cipher is kind-of like a more robust AH.

    Not sure if it would help with the L2TP over IPSec issue, although there are some reports of L2TP over IPSec working between Windows and pfSense: http://www.administrator.de/Pfsense_L2TP_over_IPSec.html
    (Kind of a longish discussion of problems with an eventual solution, although in German, so for most people around here not very understandable…)
    I have to check out their approach and see if I can make it work with the Mac, although likely only after I can funnel my network though something else than an IPSec link, because with a remote net of 0.0.0.0/0 IPSec gobbles up indiscriminately all my traffic, so another IPSec link may collide there...



  • Hey thank you for the link :)  Im going to pull out my goodold mac for this!
    After all we will (hoperfully) have less nat in the future, so it will be easier with such configurations.
    hanD!


Log in to reply