by redmail.netbsd.org with SMTP; 13 Mar 2000 23:00:54 -0000
	id C8B85462E; Mon, 13 Mar 2000 10:04:36 -0800 (PST)
Date: Mon, 13 Mar 2000 10:04:36 -0800
From: Jason R Thorpe <thorpej@shagadelic.org>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues
Message-ID: <20000313100436.B5527@dhcp0.wlan.shagadelic.org>
Reply-To: thorpej@shagadelic.org
Mail-Followup-To: tech-security@netbsd.org
References: <6370.952915380@coconut.itojun.org> <200003130330.WAA06446@sandelman.ottawa.on.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <200003130330.WAA06446@sandelman.ottawa.on.ca>; from mcr@sandelman.ottawa.on.ca on Sun, Mar 12, 2000 at 10:30:36PM -0500
Organization: Zembu Labs, Inc.

On Sun, Mar 12, 2000 at 10:30:36PM -0500, Michael Richardson wrote:

 >   That insists on the server that it set this policy. That means that even
 > people on the local wire, or from localhost, must encrypt. I'd rather that it 
 > was the clients that had this policy, and negotiated via racoon for have this 
 > policy.

Actually, I think I'd rather have the server enforce it...  Sometimes the
"local wire" might actually be wireless, and I'd rather err on the side of
safety in the case of a poorly configured client.

-- 
        -- Jason R. Thorpe <thorpej@shagadelic.org>