Subject: Re: setkey and
To: Martti Kuparinen <>
From: Daniel Carosone <>
List: current-users
Date: 12/22/2004 06:17:04
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 21, 2004 at 08:28:30PM +0200, Martti Kuparinen wrote:
> Hi!
> I'm debating with someone about setkey's spdadd syntax. Here's an example:
> spdadd any -P out ipsec
>   esp/tunnel/;
> Which one is true:
> 1) is "any of my local addresses"
> 2) is "any address, local or foreign"
> I'd say #2 so I read the above rule as "outgoing traffic from anyone
> in the network to any destination must be tunneled and outer=
> header's src=3D10.0.0.10 and dst=3D10.0.0.1".

That would certainly be my expectation; tunnels couldn't work right if
they could only match local addresses of the tunnel endpoints.

> I also read it that is my address and is the security
> gateway's address.

I'm not sure this strictly needs to be true (it's talking about the
outer header addresses, which might not actually be the real tunnel
endpoint addresses in the presence of certain rare NAT setups) but
essentially, yes.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.6 (NetBSD)