--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 21, 2004 at 08:28:30PM +0200, Martti Kuparinen wrote:
> Hi!
>=20
> I'm debating with someone about setkey's spdadd syntax. Here's an example:
>=20
> spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec
>   esp/tunnel/10.0.0.10-10.0.0.1/require;
>=20
> Which one is true:
>=20
> 1) 0.0.0.0/0 is "any of my local addresses"
> 2) 0.0.0.0/0 is "any address, local or foreign"
>=20
> I'd say #2 so I read the above rule as "outgoing traffic from anyone
> in the 10.0.0.0/24 network to any destination must be tunneled and outer=
=20
> header's src=3D10.0.0.10 and dst=3D10.0.0.1".

That would certainly be my expectation; tunnels couldn't work right if
they could only match local addresses of the tunnel endpoints.

> I also read it that 10.0.0.10 is my address and 10.0.0.1 is the security
> gateway's address.

I'm not sure this strictly needs to be true (it's talking about the
outer header addresses, which might not actually be the real tunnel
endpoint addresses in the presence of certain rare NAT setups) but
essentially, yes.

--
Dan.

--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFByHawEAVxvV4N66cRAoMzAKCF/SjwlEqd3gDzWOrWyiLWELW78QCdFVbz
ntbGEZt1J1d/EQEe2YR7JqA=
=Tfwx
-----END PGP SIGNATURE-----

--0eh6TmSyL6TZE2Uz--