From owner-freebsd-net@FreeBSD.ORG  Fri Dec 19 15:05:59 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9785A1065680
	for <freebsd-net@freebsd.org>; Fri, 19 Dec 2008 15:05:59 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 554748FC2B
	for <freebsd-net@freebsd.org>; Fri, 19 Dec 2008 15:05:59 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id D1D372798B8;
	Fri, 19 Dec 2008 16:05:57 +0100 (CET)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id CE97B17057; Fri, 19 Dec 2008 16:08:46 +0100 (CET)
Date: Fri, 19 Dec 2008 16:08:46 +0100
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: Tom Evans <tevans.uk@googlemail.com>
Message-ID: <20081219150846.GA39267@zeninc.net>
References: <E35F3ECA-9084-4C96-B4CE-D51E8E76A4A0@webclipping.com>
	<20081219130344.GA38912@zeninc.net>
	<1229693702.41849.47.camel@strangepork.mintel.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1229693702.41849.47.camel@strangepork.mintel.co.uk>
User-Agent: All mail clients suck. This one just sucks less.
Cc: freebsd-net@freebsd.org, Noah Silverman <noah@webclipping.com>
Subject: Re:  Surf outside Internet through VPN
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2008 15:05:59 -0000

On Fri, Dec 19, 2008 at 01:35:02PM +0000, Tom Evans wrote:
> On Fri, 2008-12-19 at 14:03 +0100, VANHULLEBUS Yvan wrote:
> > 
> > Please note that, for IPsec (and for IKE negociations), 0.0.0.0/0 does
> > NOT means "any IP", it does REALLY means "the network with base
> > address 0.0.0.0 and 0 bits of netmask".
> > 
> > 
> > Yvan.
> 
> Could you define an IPv4 IP address that wouldn't be matched by that
> definition? IE - aren't they both the same thing? I might be being
> dense..

When setting up configurations, I often see people who put 0.0.0.0/0
as traffic endpoint one one side, and "something else" on the other
side (either in racoon.conf's sainfo sections or in SPD traffic
endpoints), and who think it will work. It won't.

Of course, once you get such SPD entry, any packet wich matches the
other network (myip as source in my previous example) will match the
SPD.




Yvan.