From owner-freebsd-net Fri Sep 21 2:17: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 38D6E37B40F for ; Fri, 21 Sep 2001 02:17:03 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L9H1t18829; Fri, 21 Sep 2001 10:17:01 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L9GvR34876; Fri, 21 Sep 2001 10:16:57 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109210916.f8L9GvR34876@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Sameh Ghane Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. In-Reply-To: Message from Sameh Ghane of "Fri, 21 Sep 2001 11:05:14 +0200." <20010921110514.G77863@anthologeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 21 Sep 2001 10:16:57 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wr= ote): > > = > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require= ; > > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//requir= e; > > = > > This is your setkey input. The ``ip4'' bit tells ipsec to only touch= = > > IP-in-IP traffic, so comms going from an internal LAN to an external = > > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be = > > NAT'd). Only the gif-encapsulated traffic is encrypted. > = > Hum, looks great, but the man page for setkey says: > = > =AB spdadd src_range dst_range upperspec policy ; > = > upperspec > Upper-layer protocol to be used. Currently tcp, udp and a= ny can > be specified. any stands for ``any protocol''. =BB > = > And when I use 'ip4' instead of any/icmp/tcp/udp, it says: = > line #[where ip4]: Syntax error at [i]. > = > (Funny error location, by the way). > = > Is it a =AB new feature =BB with 4.4's shipped KAME's setkey ? Yes, it was added by me specifically to permit NAT & IPSEC to work = together (although the KAME guys have made it better by now allowing = any protocols(5) value. The patch is very simple, so you may want to patch your system = (kernel support is already there, it's just a one-line userland = change). > -- = > Sameh Cheers. -- = Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! Index: token.l =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/setkey/token.l,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- token.l 4 Jul 2000 16:22:05 -0000 1.3 +++ token.l 17 May 2001 15:30:49 -0000 1.4 @@ -200,6 +200,7 @@ /* upper layer protocols */ icmp { PREPROC; yylval.num =3D IPPROTO_ICMP; return(UP_PROTO); } icmp6 { PREPROC; yylval.num =3D IPPROTO_ICMPV6; return(UP_PROTO); } +ip4 { PREPROC; yylval.num =3D IPPROTO_IPV4; return(UP_PROTO); } tcp { PREPROC; yylval.num =3D IPPROTO_TCP; return(UP_PROTO); } udp { PREPROC; yylval.num =3D IPPROTO_UDP; return(UP_PROTO); } = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message