tech-security: Re: how do I do this with our ipsec...

Subject: Re: how do I do this with our ipsec...
To: Perry E. Metzger <perry@wasabisystems.com>
From: Jason R Thorpe <thorpej@wasabisystems.com>
List: tech-security
Date: 06/22/2002 17:48:16

On Sat, Jun 22, 2002 at 08:33:19PM -0400, Perry E. Metzger wrote:

 > I'd hope you could, but again, I can't figure out HOW.

Using "spdadd" to add the policy in /etc/ipsec.conf (which is used
by setkey(8)).

The "upperspec" described in the setkey(8) manual pages is the protocol
name (any protocol name in /etc/protocols), so:

spdadd 0.0.0.0/0 0.0.0.0/0 esp -P out none
spdadd 0.0.0.0/0 0.0.0.0/0 esp -P in none

...I think will tell the SPD "nothing required for any inbound or
outbound traffic already running in ESP".

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>