> IPSec isn't well documented, but once I figured out the config
> file it didn't seem too bad. I am guessing that replay prevention
Reading the RFCs might be more helpful than most of the KAME
documentation. There's also a lot of undocumented stuff for which the
sources seem to be the only source of information (e.g. how PF_KEY v2
differs from the standard).
> I had to fix up /etc/rc.network a little to load the ipsec rules
> at the appropriate point (just after the interface and ipfw setup,
> but before any services (like NFS) are run). I am going to put the
> (relatively simple) patch for rc.network up for a quick review and
> then commit it along with an example file and a reference to the
> example file in the man page.
Fixed security associations with an infinite lifetime are certainly
not the ideal way of using IPsec. Examples of setups like this should
be provided with the appropriate warnings.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
