Date: Tue, 3 Jul 2001 09:23:58 -0400 From: "Cambria, Mike" <mcambria@avaya.com> To: 'Jun-ichiro itojun Hagino' <itojun@iijlab.net>, "Cambria, Mike" <mcambria@avaya.com>, snap-users@kame.net Cc: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: RE: (KAME-snap 5064) Can I define a SPD per interface? Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7064F5F@rerun.lucentctc.com>
next in thread | raw e-mail | index | archive | help
>I can only find a way to define a global SPD using setkey. Is it possible >to define an (IPv4) SPD on a per interface basis using KAME / FreeBSD4? >If not, are there any plans to add this in the future? >Is there any reason one wouldn't want to have this? no. do you want SPD per interface, or IPsec SPI per interface? anyway, IPsec architecture is not interface-oriented (it lives on top of IP, and the information on interface is already gone) so your suggestion does not fit nicely to the current architecture... I read RFC2401 (pg 13) differently, which is why I asked. "Each interface for which IPsec is enabled requires nominally separate inbound vs. outbound databases (SAD and SPD)" and further down on pg 13 "...SG had multiple external interfaces, it might be necessary to have separate SAD and SPD pairs for each interface." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7064F5F>