I would expect IPsec to work. However, it will be slightly
non-straigthforward to set up with SPD entries, since one would have
to define selectors to describe the Amanda traffic. Packets to
UDP/10080 (in src/out dst on tape host, and in dst/out src on clients)
should be easy, but the ports used for TCP connections appear to be
hard to predict.
So, I think that modifying the Amanda source to make the appropriate
kernel calls to bind policy to the Amanda sockets is the right thing
to do.
Of course, one still needs to set up an IKE daemon or manual keying.
Also, I realize you said you didn't want to set up Kerberos, but IMHO
it's no harder than making IPsec work for Amanda.
Greg Troxel <[EMAIL PROTECTED]>
