Permalink
Browse files

improve descr on AH tunnel twist.

  • Loading branch information...
1 parent fb9c6eb commit 2fc3cdf1282c9452feac266c033225bc27060e30 itojun committed Apr 20, 2000
Showing with 9 additions and 3 deletions.
  1. +9 −3 kame/kame/man/man4/ipsec.4
View
12 kame/kame/man/man4/ipsec.4
@@ -1,4 +1,4 @@
-.\" $KAME: ipsec.4,v 1.7 2000/04/20 08:01:41 itojun Exp $
+.\" $KAME: ipsec.4,v 1.8 2000/04/20 14:25:46 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
@@ -230,8 +230,14 @@ There is no single standard for policy engine API,
so the policy engine API described herein is just for KAME implementation.
.Pp
AH tunnel may not work as you might expect.
-Packets will be exchanged just fine, however,
-policy engine will not consider the encapsulated packet to be authentic.
+If you configure
+.Dq require
+policy against AH tunnel for inbound, tunnelled packets will be rejected.
+This is because AH authenticates encapsulating
+.Pq outer
+packet, not the encapsulated
+.Pq inner
+packet.
.\"
.Sh HISTORY
The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.

0 comments on commit 2fc3cdf

Please sign in to comment.