Date: Fri, 29 Sep 2000 00:53:48 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: kris@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: Dialup IPSEC Message-ID: <200009281653.e8SGrmj06140@netrinsics.com> In-Reply-To: <Pine.BSF.4.21.0009280918560.97039-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@FreeBSD.org> writes: >> Does anyone have a working dialup solution for the KAME kernel IPSEC >> implementation? > >Perhaps my brain hasnt spun up yet this early in the morning, but can't >you just specify the appropriate range of addresses in the spdadd entry? From the setkey manual: spdadd src_range dst_range upperspec policy ; policy is the one of following: -P direction ipsec protocol/mode/src-dst/level You must specify the end-points addresses of the SA as src and dst with `-' between these addresses which is used to specify the SA to use. In conclusion, you can set a policy for routing your *internal* IP addresses as a range in the spdadd entry, but you must specify the public tunnel endpoint IP addresses as fixed dotted quads (for IPv4). This is specifically the part that racoon, by design, won't help you do. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009281653.e8SGrmj06140>