While this should probably work, it's more straightforward to use ESP with integrity protection. That is, use a -A hmac-sha1 argument also to ESP. (hmac-md5 is probably still fine, but sha1 goes better strength-wise with rijndael-cbc.) I believe that in tunnel mode AH and ESP integrity are essentially identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you really want to understand. In transport mode, AH protects parts of the original (and only) IP header. -- Greg Troxel <gdt@ir.bbn.com> _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"