by redmail.netbsd.org with SMTP; 13 Mar 2000 03:27:10 -0000
	by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id WAA03214
	for <tech-security@netbsd.org>; Sun, 12 Mar 2000 22:27:06 -0500 (EST)
Message-Id: <200003130327.WAA06424@sandelman.ottawa.on.ca>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues 
In-Reply-To: Your message of "Sun, 12 Mar 2000 18:03:36 PST."
             <20000312180336.A1139@dhcp0.wlan.shagadelic.org> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 12 Mar 2000 22:27:05 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>


>>>>> "Jason" == Jason R Thorpe <thorpej@shagadelic.org> writes:
    Jason> There's not an obvious way to do this from what's documented in the
    Jason> setkey(8) and racoon(8) manual pages.

    Jason> Any experts on these programs have some suggestions?

  I have spent some 15 days doing it as paid work, and I can't say that I'm
an expert yet. I assume that you are using the more recent code (the recently 
integrated -STABLE).
  
  My recommendations:
     1) setup of racoon at each end.
     2) test with

     ping -E 'out ipsec esp/transport/A-B/require' B

  I do not believe that there is a way to describe the policy that you want yet.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: mcr@sandelman.ottawa.on.ca. PGP key available.