port-i386: Flexibility of IPSec IP range configuration

Subject: Flexibility of IPSec IP range configuration
To: None <port-i386@netbsd.org>
From: I-Wei Chen <gis90590@cis.nctu.edu.tw>
List: port-i386
Date: 12/25/2002 15:30:02

Hello, 

  Recently, I use KAME/IPSec to establish tunnels with other commercial
  products. I find most of them can support 'range ip address' which 
  means they can specify ip range in the policy like this :
  192.168.1.100 ~ 192.168.1.200 (i.e. 100, 101, 102..199, 200)
  However, KAME/IPSec can only specify ip range in the form of IP/Prefix_Length, 
  that can't match ip range 192.168.1.100 ~ 192.168.1.200 

  So, tunnel can't be established because IKE checks whether these two tunnel endpoints have 
  the same SA information.

  Will new KAME/IPSec support more flexible IP range configuration ?

Thanks,
Derek