Date: Fri, 19 Dec 2008 16:08:46 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Tom Evans <tevans.uk@googlemail.com> Cc: freebsd-net@freebsd.org, Noah Silverman <noah@webclipping.com> Subject: Re: Surf outside Internet through VPN Message-ID: <20081219150846.GA39267@zeninc.net> In-Reply-To: <1229693702.41849.47.camel@strangepork.mintel.co.uk> References: <E35F3ECA-9084-4C96-B4CE-D51E8E76A4A0@webclipping.com> <20081219130344.GA38912@zeninc.net> <1229693702.41849.47.camel@strangepork.mintel.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 19, 2008 at 01:35:02PM +0000, Tom Evans wrote: > On Fri, 2008-12-19 at 14:03 +0100, VANHULLEBUS Yvan wrote: > > > > Please note that, for IPsec (and for IKE negociations), 0.0.0.0/0 does > > NOT means "any IP", it does REALLY means "the network with base > > address 0.0.0.0 and 0 bits of netmask". > > > > > > Yvan. > > Could you define an IPv4 IP address that wouldn't be matched by that > definition? IE - aren't they both the same thing? I might be being > dense.. When setting up configurations, I often see people who put 0.0.0.0/0 as traffic endpoint one one side, and "something else" on the other side (either in racoon.conf's sainfo sections or in SPD traffic endpoints), and who think it will work. It won't. Of course, once you get such SPD entry, any packet wich matches the other network (myip as source in my previous example) will match the SPD. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081219150846.GA39267>