From owner-freebsd-security  Thu Sep 28  7:46: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97])
	by hub.freebsd.org (Postfix) with SMTP id C608037B43C
	for <freebsd-security@freebsd.org>; Thu, 28 Sep 2000 07:45:53 -0700 (PDT)
Received: from netrinsics.com([202.106.13.229]) by public.bta.net.cn(JetMail 2.5.3.0)
	with SMTP id jm839d3cac6; Thu, 28 Sep 2000 14:45:47 -0000
Received: (from robinson@localhost)
	by netrinsics.com (8.11.0/8.9.3) id e8SEl7805639
	for freebsd-security@freebsd.org; Thu, 28 Sep 2000 22:47:07 +0800 (+0800)
	(envelope-from robinson)
Date: Thu, 28 Sep 2000 22:47:07 +0800 (+0800)
From: Michael Robinson <robinson@netrinsics.com>
Message-Id: <200009281447.e8SEl7805639@netrinsics.com>
To: freebsd-security@freebsd.org
Subject: Dialup IPSEC
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Pipsecd supports dialup users by providing IP wildcards for security
associations.  This is very convenient.

Racoon, on the other hand (according to the port description):

 "Design choice, not a bug:
   - racoon negotiate IPsec keys only.  It does not negotiate policy.  Policy
     must be configured into the kernel separately from racoon.  If you want
     to support roaming clients, you may need to have a mechanism to put
     policy for the roaming client after phase 1 finhises."

Does anyone have a working dialup solution for the KAME kernel IPSEC 
implementation?

	-Michael Robinson



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message