Subject: Re: setkey and 0.0.0.0/0
To: Martti Kuparinen <firstname.lastname@example.org>
From: Daniel Carosone <email@example.com>
Date: 12/22/2004 06:17:04
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 21, 2004 at 08:28:30PM +0200, Martti Kuparinen wrote:
> I'm debating with someone about setkey's spdadd syntax. Here's an example:
> spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
> Which one is true:
> 1) 0.0.0.0/0 is "any of my local addresses"
> 2) 0.0.0.0/0 is "any address, local or foreign"
> I'd say #2 so I read the above rule as "outgoing traffic from anyone
> in the 10.0.0.0/24 network to any destination must be tunneled and outer=
> header's src=3D10.0.0.10 and dst=3D10.0.0.1".
That would certainly be my expectation; tunnels couldn't work right if
they could only match local addresses of the tunnel endpoints.
> I also read it that 10.0.0.10 is my address and 10.0.0.1 is the security
> gateway's address.
I'm not sure this strictly needs to be true (it's talking about the
outer header addresses, which might not actually be the real tunnel
endpoint addresses in the presence of certain rare NAT setups) but
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)
-----END PGP SIGNATURE-----