Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

improve descr on AH tunnel twist.

  • Loading branch information...
commit 2fc3cdf1282c9452feac266c033225bc27060e30 1 parent fb9c6eb
itojun authored
Showing with 9 additions and 3 deletions.
  1. +9 −3 kame/kame/man/man4/ipsec.4
12 kame/kame/man/man4/ipsec.4
View
@@ -1,4 +1,4 @@
-.\" $KAME: ipsec.4,v 1.7 2000/04/20 08:01:41 itojun Exp $
+.\" $KAME: ipsec.4,v 1.8 2000/04/20 14:25:46 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
@@ -230,8 +230,14 @@ There is no single standard for policy engine API,
so the policy engine API described herein is just for KAME implementation.
.Pp
AH tunnel may not work as you might expect.
-Packets will be exchanged just fine, however,
-policy engine will not consider the encapsulated packet to be authentic.
+If you configure
+.Dq require
+policy against AH tunnel for inbound, tunnelled packets will be rejected.
+This is because AH authenticates encapsulating
+.Pq outer
+packet, not the encapsulated
+.Pq inner
+packet.
.\"
.Sh HISTORY
The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
Please sign in to comment.
Something went wrong with that request. Please try again.