Date: Fri, 21 Sep 2001 11:05:14 +0200 From: Sameh Ghane <sw@anthologeek.net> To: net@FreeBSD.ORG Subject: Re: IPSEC question.. Message-ID: <20010921110514.G77863@anthologeek.net> In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:47:03AM %2B0100 References: <julian@elischer.org> <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wrote):
>
> spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
> spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
>
> This is your setkey input. The ``ip4'' bit tells ipsec to only touch
> IP-in-IP traffic, so comms going from an internal LAN to an external
> gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be
> NAT'd). Only the gif-encapsulated traffic is encrypted.
Hum, looks great, but the man page for setkey says:
« spdadd src_range dst_range upperspec policy ;
upperspec
Upper-layer protocol to be used. Currently tcp, udp and any can
be specified. any stands for ``any protocol''. »
And when I use 'ip4' instead of any/icmp/tcp/udp, it says:
line #[where ip4]: Syntax error at [i].
(Funny error location, by the way).
Is it a « new feature » with 4.4's shipped KAME's setkey ?
--
Sameh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921110514.G77863>