tech-net: Re: Using IKE with one fixed end and one dynamic end

Subject: Re: Using IKE with one fixed end and one dynamic end
To: None <darrenr@reed.wattle.id.au>
From: Shoichi Sakane <sakane@kame.net>
List: tech-net
Date: 10/30/2001 11:44:48

>    Does anyone have any suggestions on how to configure IKE (racoon) for
> access to a LAN from cable internet (DHCP) ?  Can you assume you know
> nothing about the remote IP address ?  Particularly, what should
> the SPDs look like.

i always define the SPD like the following.
at the client side,
	spdadd 0.0.0.0/0 server any -P out ipsec esp/transport//require;
	spdadd server 0.0.0.0/0 any -P  in ipsec esp/transport//require;

at the server side,
	spdadd server 0.0.0.0/0 any -P out ipsec esp/transport//use;
	spdadd 0.0.0.0/0 server any -P  in ipsec esp/transport//use;
and i specify "passive on" in the configuration file of the racoon
at the server.