Disclaimer: I know bugger-all about IPSec.
I looked through this script in devel and it appears that it does
something like this (among other things) when using setkey -c:
------------------------------
spdadd $SPD_SRC $SPD_DST any -P out ipsec
${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
;
spdadd $SPD_DST $SPD_SRC any -P in ipsec
${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
;
------------------------------
The HOWTOs (located here:
http://lartc.org/howto/lartc.ipsec.automatic.keying.html and here:
http://www.ipsec-howto.org/x299.html) mention only the ESP bit in
relation to automatic keying, but not the AH bit. From the HOWTOs:
------------------------------
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
esp/transport//require;
------------------------------
------------------------------
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
esp/tunnel/192.168.1.100-192.168.2.100/require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
esp/tunnel/192.168.2.100-192.168.1.100/require;
------------------------------
FC5, that I'm using for my IPSec to PIX connection, is similar to devel
(i.e. it has the AH bits in spdadd). Anyone on the list knows why the
discrepancy?
The HOWTO method lets me establish a tunnel to PIX. The one from the
script does not...
--
Bojan