Date: Fri, 21 Sep 2001 10:16:57 +0100 From: Brian Somers <brian@freebsd-services.com> To: Sameh Ghane <sw@anthologeek.net> Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. Message-ID: <200109210916.f8L9GvR34876@hak.lan.Awfulhak.org> In-Reply-To: Message from Sameh Ghane <sw@anthologeek.net> of "Fri, 21 Sep 2001 11:05:14 %2B0200." <20010921110514.G77863@anthologeek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wr=
ote):
> > =
> > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require=
;
> > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//requir=
e;
> > =
> > This is your setkey input. The ``ip4'' bit tells ipsec to only touch=
=
> > IP-in-IP traffic, so comms going from an internal LAN to an external =
> > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be =
> > NAT'd). Only the gif-encapsulated traffic is encrypted.
> =
> Hum, looks great, but the man page for setkey says:
> =
> =AB spdadd src_range dst_range upperspec policy ;
> =
> upperspec
> Upper-layer protocol to be used. Currently tcp, udp and a=
ny can
> be specified. any stands for ``any protocol''. =BB
> =
> And when I use 'ip4' instead of any/icmp/tcp/udp, it says: =
> line #[where ip4]: Syntax error at [i].
> =
> (Funny error location, by the way).
> =
> Is it a =AB new feature =BB with 4.4's shipped KAME's setkey ?
Yes, it was added by me specifically to permit NAT & IPSEC to work =
together (although the KAME guys have made it better by now allowing =
any protocols(5) value.
The patch is very simple, so you may want to patch your system =
(kernel support is already there, it's just a one-line userland =
change).
> -- =
> Sameh
Cheers.
-- =
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
Index: token.l
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/usr.sbin/setkey/token.l,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- token.l 4 Jul 2000 16:22:05 -0000 1.3
+++ token.l 17 May 2001 15:30:49 -0000 1.4
@@ -200,6 +200,7 @@
/* upper layer protocols */
icmp { PREPROC; yylval.num =3D IPPROTO_ICMP; return(UP_PROTO); }
icmp6 { PREPROC; yylval.num =3D IPPROTO_ICMPV6; return(UP_PROTO); }
+ip4 { PREPROC; yylval.num =3D IPPROTO_IPV4; return(UP_PROTO); }
tcp { PREPROC; yylval.num =3D IPPROTO_TCP; return(UP_PROTO); }
udp { PREPROC; yylval.num =3D IPPROTO_UDP; return(UP_PROTO); }
=
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109210916.f8L9GvR34876>