From owner-freebsd-security Thu Sep 28 9:52:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with SMTP id 5245337B424; Thu, 28 Sep 2000 09:52:43 -0700 (PDT) Received: from netrinsics.com([202.106.13.229]) by public.bta.net.cn(JetMail 2.5.3.0) with SMTP id jm839d3dc79; Thu, 28 Sep 2000 16:52:36 -0000 Received: (from robinson@localhost) by netrinsics.com (8.11.0/8.9.3) id e8SGrmj06140; Fri, 29 Sep 2000 00:53:48 +0800 (+0800) (envelope-from robinson) Date: Fri, 29 Sep 2000 00:53:48 +0800 (+0800) From: Michael Robinson Message-Id: <200009281653.e8SGrmj06140@netrinsics.com> To: kris@FreeBSD.org Subject: Re: Dialup IPSEC Cc: freebsd-security@FreeBSD.org In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: >> Does anyone have a working dialup solution for the KAME kernel IPSEC >> implementation? > >Perhaps my brain hasnt spun up yet this early in the morning, but can't >you just specify the appropriate range of addresses in the spdadd entry? From the setkey manual: spdadd src_range dst_range upperspec policy ; policy is the one of following: -P direction ipsec protocol/mode/src-dst/level You must specify the end-points addresses of the SA as src and dst with `-' between these addresses which is used to specify the SA to use. In conclusion, you can set a policy for routing your *internal* IP addresses as a range in the spdadd entry, but you must specify the public tunnel endpoint IP addresses as fixed dotted quads (for IPv4). This is specifically the part that racoon, by design, won't help you do. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message