Hi,

I try to setup IPSec with ESP + tunnel AH between host-to-host in
OpenBSD,
but fail to do so. Two hosts are PC openbsd1 to openbsd15.
openbsd1: 192.3.20.238
openbsd15: 192.3.40.55

When I ping from openbsd1 to openbsd15 and there is no reply from
openbsd1;
packet from openbsd1 to openbsd15 sniffed from ethereal is
[IP | AH | IP | ESP | data ]

When I ping from openbsd15 to openbsd1, there is reply from openbsd1 as
shown
by Ethereal software, but ping command doesn't print any reply packet.
Ethereal sniff:
>From openbsd15: [IP | ESP | data ]
>From openbsd1: [IP | AH | IP | ESP | data ]


Can I have ESP + tunnel AH in host-to-host setup??

My Configuration files are following;
[In openbsd1, isakmpd.policy file:]
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
$OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
$EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" -> "true";

[In openbsd1, isakmpd.conf file:]
# $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
# $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
daemon.

[Phase 1]
192.3.40.55 = ISAKMP-peer-open15

[Phase 2]
Connections= IPsec-open15


[ISAKMP-peer-open15]
Phase= 1
Transport= udp
Address= 192.3.40.55
Configuration= Default-main-mode
Authentication= mekmitasdigoat

[IPsec-open15]
Phase= 2
ISAKMP-peer= ISAKMP-peer-open15
Configuration= Default-quick-mode
Local-ID= Net-open1
Remote-ID= Net-open15


[Net-open1]
ID-type= IPV4_ADDR_SUBNET
Network= 192.3.20.238
Netmask= 255.255.255.255

[Net-open15]
ID-type= IPV4_ADDR_SUBNET
Network= 192.3.40.55
Netmask= 255.255.255.255


[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
#Suites= QM-ESP-3DES-SHA-SUITE
#Suites= QM-ESP-3DES-MD5-SUITE
#Suites= QM-AH-MD5-ESP-DES-SUITE
Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE

# Quick mode protection suites
##############################
# 3DES
# [QM-AH-MD5-ESP-3DES-MD5-SUITE]
[QM-ESP-3DES-MD5-AH-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5,QM-AH-MD5


# Quick mode protocols
#############################
# 3DES
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF

# AH
[QM-AH-MD5]
PROTOCOL_ID= IPSEC_AH
Transforms= QM-AH-MD5-XF

# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TRANSPORT
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

# AH Transform
[QM-AH-MD5-XF]
TRANSFORM_ID= MD5
ENCAPSULATION_MODE= TRANSPORT
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200




[In openbsd15, isakmpd.policy file:]
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
$OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
$EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" -> true;

[In openbsd15, isakmpd.conf file:]
# $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
# $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
daemon.

[Phase 1]
192.3.20.238= ISAKMP-open1

[Phase 2]
Connections= IPsec-svr-open1

[ISAKMP-open1]
Phase= 1
Transport= udp
Address= 192.3.20.238
Configuration= Default-main-mode
Authentication= mekmitasdigoat

[IPsec-svr-open1]
Phase= 2
ISAKMP-peer= ISAKMP-rtu2
Configuration= Default-quick-mode
Local-ID= Net-open15
Remote-ID= Net-open1

[Net-open15]
ID-type= IPV4_ADDR_SUBNET
Network= 192.3.40.55
Netmask= 255.255.255.255

[Net-open1]
ID-type= IPV4_ADDR_SUBNET
Network= 192.3.20.238
Netmask= 255.255.255.255

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE


[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

# Quick mode protection suites
##############################
# ESP
# ESP + AH
# Work 1
#[QM-AH-MD5-ESP-3DES-MD5-SUITE]
[QM-ESP-3DES-MD5-AH-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5,QM-AH-MD5

# Quick mode protocols
#############################
# 3DES-SHA
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF

# AH
[QM-AH-MD5]
PROTOCOL_ID= IPSEC_AH
Transforms= QM-AH-MD5-XF

# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS


# AH Transform
[QM-AH-MD5-XF]
TRANSFORM_ID= MD5
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200