by redmail.netbsd.org with SMTP; 13 Mar 2000 03:40:08 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id MAA07311;
	Mon, 13 Mar 2000 12:39:46 +0900 (JST)
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
cc: tech-security@netbsd.org
In-reply-to: mcr's message of Sun, 12 Mar 2000 22:30:36 EST.
      <200003130330.WAA06446@sandelman.ottawa.on.ca>
Subject: Re: IPsec configuration issues 
From: itojun@iijlab.net
Date: Mon, 13 Mar 2000 12:39:46 +0900
Message-ID: <7309.952918786@coconut.itojun.org>


>>> Now, the server's addresses (it has 2) are static.  However, I need a
>>> way to say "any" for the other end.  In English, I'd like to say this:
>>> For all packets destined to <ip_address_of_server>[tcp port 110],
>>> they must be encrypted with <algorithm>.
>
>> 	inetd.conf "#@" hack should be useful here.
>
>> #@ in ipsec esp/transport//require
>> pop3  stream	tcp	nowait	root	/usr/pkg/libexec/qpopper	qpopper -s
>> #@
>
>  That insists on the server that it set this policy. That means that even
>people on the local wire, or from localhost, must encrypt. I'd rather that it 
>was the clients that had this policy, and negotiated via racoon for have this 
>policy.

	oops, you're right.  please use the following.  This should encrypt
	traffic from server to client, whenever key is available.  client side
	should use "esp/transport//require", instead of "esp/transport//use".
	if you use "esp/transport/use", some packets will be transmitted
	in clear between client and the server.

	BTW, racoon does not negotiate policy.

itojun


#@ out ipsec esp/transport//use
pop3  stream	tcp	nowait	root	/usr/pkg/libexec/qpopper	qpopper -s
#@