On 1/18/07, Dan Mahoney, System Admin <[EMAIL PROTECTED]> wrote:
On Thu, 18 Jan 2007, Andrew Pantyukhin wrote:
> On 1/18/07, Dan Mahoney, System Admin <[EMAIL PROTECTED]> wrote:
>
> It's not that simple. The difficulty is in key exchange,
> and it stays. I can show you how to implement it with
> static keys:
As I read through the article
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I
get the distinct impression the howto
actually is somewhat adaptable -- one just needs to ignore everything it
says about tunnels, and the GIF device.
I'd still install raccoon, still do everything like that -- the change
comes in the lines in /etc/ipsec.conf
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
which would be I think modified to your lines below. I'm not sure if you
still need the additional policy definition (between the slashes).
Perhaps you can clarify for me?
Just esp/transport//require; should do
I'm liking doing things with raccoon only because it allows you to use
those nice non-static keys.
So do I. The problem is there's no perfect way to
block non-ipsec traffic right now and there's no
way to make sure raccoon won't ever croak and leave
you insecure/disconnected. YMMV.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
