Date: Fri, 29 Sep 2000 00:53:48 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: kris@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: Dialup IPSEC Message-ID: <200009281653.e8SGrmj06140@netrinsics.com> In-Reply-To: <Pine.BSF.4.21.0009280918560.97039-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@FreeBSD.org> writes:
>> Does anyone have a working dialup solution for the KAME kernel IPSEC
>> implementation?
>
>Perhaps my brain hasnt spun up yet this early in the morning, but can't
>you just specify the appropriate range of addresses in the spdadd entry?
From the setkey manual:
spdadd src_range dst_range upperspec policy ;
policy is the one of following:
-P direction ipsec protocol/mode/src-dst/level
You must specify the end-points addresses of the SA as src and dst
with `-' between these addresses which is used to specify the SA to
use.
In conclusion, you can set a policy for routing your *internal* IP addresses
as a range in the spdadd entry, but you must specify the public tunnel
endpoint IP addresses as fixed dotted quads (for IPv4). This is specifically
the part that racoon, by design, won't help you do.
-Michael Robinson
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009281653.e8SGrmj06140>