Re: IPSEC question..

Fri, 21 Sep 2001 01:48:13 -0700 

> Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wrote):
> > 
> >   spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
> >   spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> > 
> > This is your setkey input.  The ``ip4'' bit tells ipsec to only touch 
> > IP-in-IP traffic, so comms going from an internal LAN to an external 
> > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be 
> > NAT'd).  Only the gif-encapsulated traffic is encrypted.
> 
> Hum, looks great, but the man page for setkey says:
> 
> «     spdadd src_range dst_range upperspec policy ;
> 
>      upperspec
>              Upper-layer protocol to be used.  Currently tcp, udp and any can
>              be specified.  any stands for ``any protocol''. »
> 
> And when I use 'ip4' instead of any/icmp/tcp/udp, it says: 
> line #[where ip4]: Syntax error at [i].
> 
> (Funny error location, by the way).
> 
> Is it a « new feature » with 4.4's shipped KAME's setkey ?

Yes, it was added by me specifically to permit NAT & IPSEC to work 
together (although the KAME guys have made it better by now allowing 
any protocols(5) value.

The patch is very simple, so you may want to patch your system 
(kernel support is already there, it's just a one-line userland 
change).

> -- 
> Sameh

Cheers.

-- 
Brian <[EMAIL PROTECTED]>                <[EMAIL PROTECTED]>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>

Index: token.l
===================================================================
RCS file: /home/ncvs/src/usr.sbin/setkey/token.l,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- token.l     4 Jul 2000 16:22:05 -0000       1.3
+++ token.l     17 May 2001 15:30:49 -0000      1.4
@@ -200,6 +200,7 @@
        /* upper layer protocols */
 icmp           { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
 icmp6          { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
+ip4            { PREPROC; yylval.num = IPPROTO_IPV4; return(UP_PROTO); }
 tcp            { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
 udp            { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }
 



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to