From owner-freebsd-net  Fri Sep 21  2: 5:52 2001
Delivered-To: freebsd-net@freebsd.org
Received: from day.anthologeek.net (day.anthologeek.net [212.43.217.20])
	by hub.freebsd.org (Postfix) with ESMTP id 24BE737B413
	for <net@FreeBSD.ORG>; Fri, 21 Sep 2001 02:05:48 -0700 (PDT)
Received: by day.anthologeek.net (Postfix, from userid 1000)
	id 8835E17126; Fri, 21 Sep 2001 11:05:14 +0200 (CEST)
Date: Fri, 21 Sep 2001 11:05:14 +0200
From: Sameh Ghane <sw@anthologeek.net>
To: net@FreeBSD.ORG
Subject: Re: IPSEC question..
Message-ID: <20010921110514.G77863@anthologeek.net>
References: <julian@elischer.org> <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Fri, Sep 21, 2001 at 09:47:03AM +0100
X-PGP-Keys: 0x1289F00D: <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1289F00D>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wrote):
> 
>   spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
>   spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> 
> This is your setkey input.  The ``ip4'' bit tells ipsec to only touch 
> IP-in-IP traffic, so comms going from an internal LAN to an external 
> gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be 
> NAT'd).  Only the gif-encapsulated traffic is encrypted.

Hum, looks great, but the man page for setkey says:

«     spdadd src_range dst_range upperspec policy ;

     upperspec
             Upper-layer protocol to be used.  Currently tcp, udp and any can
             be specified.  any stands for ``any protocol''. »

And when I use 'ip4' instead of any/icmp/tcp/udp, it says: 
line #[where ip4]: Syntax error at [i].

(Funny error location, by the way).

Is it a « new feature » with 4.4's shipped KAME's setkey ?

-- 
Sameh

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message