From owner-freebsd-security Mon Jun 24 9:14:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 2CEBD37B40D for ; Mon, 24 Jun 2002 09:14:16 -0700 (PDT) Received: (qmail 34639 invoked by uid 0); 24 Jun 2002 16:12:36 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 1.458552 secs); 24 Jun 2002 16:12:36 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: cjclark@alum.mit.edu,security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 1.458552 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 24 Jun 2002 16:12:34 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 23 Jun 2002 19:37:22 -0500 Message-ID: <3D1669C2.DF6F426A@dolaninformation.com> Date: Sun, 23 Jun 2002 19:37:22 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) References: <20020618130547.A11688@blossom.cjclark.org> <20020622050353.A35129@zith.net> <20020622120445.C33571@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist J. Clark" wrote: > -- -- > > I want to use 'user_fqdn' because, > > 1) One end has a dynamic address so I can't specify 'sainfo' with > an address, and > > 2) I (will) have different policies for different peers so I do not > want to use an 'anonymous' 'sainfo.' > > I have no attachment to using 'user_fqdn,' it's just that I don't want > to try to use addresses since one end is dynamic, and 'user_fqdn' > seemed the obvious choice from the racoon.conf(5) docs. Ok, maybe some confusion on what the sainfo part of racoon.conf really does. To best of my knowledge the sainfo part really just sets up the encryption used by ESP;algorithms & lifetime. So, using an anonymous sainfo in racoon.conf doesn't really go against your requirements. You can use the phase 1 section(remote) to allow the remote end to set the policy: 'proposal_check claim: obey' will do the trick. Just configure the sainfo anonymous to support a wide variety of algorithms and the "obey part" will take care of the lifetime setting. The rub you'll run into with dynamic addresses on the remote end is finding a matching spd(ipsec policy). Creative use of 0.0.0.0 and 'use' instead of 'require' might work but I haven't built up the gumption to try, yet. Notes about using PGPNet and ipsec might have something useful about dynamic ip addresses. Hope this helps, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message