AH (protocol 51) is one protocol in the family of IPsec protocols. Some others are ESP (protocol 50), and IKE (UDP protocol 17/ port 500).
AH stands for Authenticated Header, or something like that. Would need to reread the RFCs (www.ietf.org) regarding IPsec to know for sure. I do know that AH only provides for a digital signature and checksum on packets. It does not encrypt (protect the packets). ESP, on the other hand, provides encryption, as well as a digital signature and checksum. Both ESP and AH use IKE. I have been away from IPsec for a while however, and I believe there are some new protocols which solve other problems, like many-to-nat through home firewalls, corporate gateways, etc. AH and ESP, as I understand things, are mutually exclusive, and deployers tend to use one or the other (mainly ESP) and stick with it. Various IPsec clients will try to negotiate to the strongest level of security possible, which usually amounts to an ESP tunnel with strong encryption, at least triple DES. Since you are seeing an AH complaint in your logs, it could be that you just need to add AH to your ruleset, i..e allow protocol 50 into your firewall. Bob Brandt, 3M, [EMAIL PROTECTED] ----- Original Message ----- From: "Andre Faille" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 23, 2002 2:19 PM Subject: [FW-1] VPN and protocol 51 > Topo: > Firewall1/NG-1 FP1 > VPN setup for outside users > > One of our consultant is having problems connecting to us, he's the only one > displaying this problem... our typical users use SecuRemote via the Internet > and can connect fine. > > The consultant has a LAN setup at home with multiple machines, one of those > connects to the internet via his own firewall and DSL connection, then uses > SecuRemote to login to us... Sometimes it works fine, but sometimes I get > this error in the VPN-1 log entries > > Protocol: 51 > Rule: 0 > Dropped > > What is a protocol 51 exactly? > > Thanks > > ============================================ > Andre Faille > [EMAIL PROTECTED] > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
