"Robert B. Brandt" wrote: > > AH (protocol 51) is one protocol in the family of IPsec protocols. Some > others are ESP (protocol 50), and IKE (UDP protocol 17/ port 500). > > AH stands for Authenticated Header, or something like that.
Authetication Header. > Would need to > reread the RFCs (www.ietf.org) regarding IPsec to know for sure. > I do know that AH only provides for a digital signature and checksum on > packets. It does not encrypt (protect the packets). Yep... Kinda. The authentication algorithm is not defined. Actually using a "digital signature" is possible I suppose, but I'm not aware of any standards that actually do so. > ESP, on the other hand, provides encryption, as well as a digital signature > and checksum. ESP, Encapsulating Security Payload, provides encryption services for the packet data in transport mode and for an entire datagram in tunnel mode. Authentication for the data payload of the ESP packet is optionally provided. ESP _does not_ provide authentication for the final IP header of the ESP packet like AH. (And same remark about digital signatures.) > Both ESP and AH use IKE. Neither ESP or AH have dependence on IKE. IKE is a completely separate protocol for exchanging keying materials and SA information. ESP and AH keying materials and SAs can be setup manually or by any number of other means. > I have been away from IPsec for a while however, > and I believe there are some new protocols which solve other problems, like > many-to-nat through home firewalls, corporate gateways, etc. There are some drafts, but I don't think there are any RFCs out yet. Someone please correct me if I am wrong. > AH and ESP, as I understand things, are mutually exclusive, and deployers > tend to use one or the other (mainly ESP) and stick with it. They are not mutually exclusive. AH and ESP provide services for handling arbitrary IP datagrams. Since AH and ESP are themselves IP protocols, there is nothing stopping you from running one on top of the other in any order and multiple times. However, from a practical standpoint, only running AH on top of ESP really makes any sense. > Various IPsec clients IPsec is a peer-to-peer protocol just like IP itself. From an IPsec point of view, there are no clients and servers, just peers. > will try to negotiate to the strongest level of > security possible, which usually amounts to an ESP tunnel with strong > encryption, at least triple DES. > > Since you are seeing an AH complaint in your logs, it could be that you just > need to add AH to your ruleset, i..e allow protocol 50 into your firewall. Errr, ITYM protocol 51. Typo. ;) -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
