Date: Sun, 23 Jun 2002 19:37:22 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) Message-ID: <3D1669C2.DF6F426A@dolaninformation.com> References: <20020618130547.A11688@blossom.cjclark.org> <20020622050353.A35129@zith.net> <20020622120445.C33571@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > -- <clip> -- > > I want to use 'user_fqdn' because, > > 1) One end has a dynamic address so I can't specify 'sainfo' with > an address, and > > 2) I (will) have different policies for different peers so I do not > want to use an 'anonymous' 'sainfo.' > > I have no attachment to using 'user_fqdn,' it's just that I don't want > to try to use addresses since one end is dynamic, and 'user_fqdn' > seemed the obvious choice from the racoon.conf(5) docs. Ok, maybe some confusion on what the sainfo part of racoon.conf really does. To best of my knowledge the sainfo part really just sets up the encryption used by ESP;algorithms & lifetime. So, using an anonymous sainfo in racoon.conf doesn't really go against your requirements. You can use the phase 1 section(remote) to allow the remote end to set the policy: 'proposal_check claim: obey' will do the trick. Just configure the sainfo anonymous to support a wide variety of algorithms and the "obey part" will take care of the lifetime setting. The rub you'll run into with dynamic addresses on the remote end is finding a matching spd(ipsec policy). Creative use of 0.0.0.0 and 'use' instead of 'require' might work but I haven't built up the gumption to try, yet. Notes about using PGPNet and ipsec might have something useful about dynamic ip addresses. Hope this helps, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1669C2.DF6F426A>