by redmail.netbsd.org with SMTP; 13 Mar 2000 03:30:40 -0000
	by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id WAA03302
	for <tech-security@netbsd.org>; Sun, 12 Mar 2000 22:30:37 -0500 (EST)
Message-Id: <200003130330.WAA06446@sandelman.ottawa.on.ca>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues 
In-Reply-To: Your message of "Mon, 13 Mar 2000 11:43:00 +0900."
             <6370.952915380@coconut.itojun.org> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 12 Mar 2000 22:30:36 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>


>>>>> "itojun" == itojun  <itojun@iijlab.net> writes:
    >> Now, the server's addresses (it has 2) are static.  However, I need a
    >> way to say "any" for the other end.  In English, I'd like to say this:
    >> For all packets destined to <ip_address_of_server>[tcp port 110],
    >> they must be encrypted with <algorithm>.

    itojun> 	inetd.conf "#@" hack should be useful here.

    itojun> #@ in ipsec esp/transport//require
    itojun> pop3  stream	tcp	nowait	root	/usr/pkg/libexec/qpopper	qpopper -s
    itojun> #@

  That insists on the server that it set this policy. That means that even
people on the local wire, or from localhost, must encrypt. I'd rather that it 
was the clients that had this policy, and negotiated via racoon for have this 
policy.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: mcr@sandelman.ottawa.on.ca. PGP key available.