From owner-freebsd-security Thu Sep 28 9:20:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0269437B424; Thu, 28 Sep 2000 09:20:11 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id JAA02960; Thu, 28 Sep 2000 09:20:10 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 28 Sep 2000 09:20:10 -0700 (PDT) From: Kris Kennaway To: Michael Robinson Cc: freebsd-security@freebsd.org Subject: Re: Dialup IPSEC In-Reply-To: <200009281447.e8SEl7805639@netrinsics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 28 Sep 2000, Michael Robinson wrote: > Pipsecd supports dialup users by providing IP wildcards for security > associations. This is very convenient. > > Racoon, on the other hand (according to the port description): > > "Design choice, not a bug: > - racoon negotiate IPsec keys only. It does not negotiate policy. Policy > must be configured into the kernel separately from racoon. If you want > to support roaming clients, you may need to have a mechanism to put > policy for the roaming client after phase 1 finhises." > > Does anyone have a working dialup solution for the KAME kernel IPSEC > implementation? Perhaps my brain hasnt spun up yet this early in the morning, but can't you just specify the appropriate range of addresses in the spdadd entry? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message