Subject: Re: setkey and
To: Martti Kuparinen <>
From: Jochen Kunz <>
List: current-users
Date: 12/22/2004 00:36:03
On Tue, 21 Dec 2004 20:28:30 +0200 (EET)
Martti Kuparinen <> wrote:

> Hi!
> I'm debating with someone about setkey's spdadd syntax. Here's an
> example:
> spdadd any -P out ipsec
>    esp/tunnel/;
> Which one is true:
> 1) is "any of my local addresses"
> 2) is "any address, local or foreign"
> I'd say #2 so I read the above rule as "outgoing traffic from anyone
> in the network to any destination must be tunneled and
> outer header's src=3D10.0.0.10 and dst=3D10.0.0.1".
> I also read it that is my address and is the
> security gateway's address.
> Am I right or wrong?
You are right. The above may not work as the tunnel endpoints are in the
same subnet as the source address range. This may confuse the IPsec
code. (Or the user of it. ;-) ) But I am no IPsec expert.

I use this:

spdadd any -P in none;
spdadd any -P out none;=20

spdadd any -P out ipsec
spdadd any -P in ipsec

spdadd any -P in ipsec
spdadd any -P out ipsec
        esp/tunnel/; is the LAN with all my machines. It is connected to a
router with a second interface is a special subnet only for transporting non-local
trafic to the DSL router ( by WLAN.

Note that you need the first two rules. means everything,
including Obviously. So if you omit the first two rules
the machine wants to tunnel every packet, even those from the local
Ethernet that don't have to be tunneld. Yes I have learned this the hard
way. ;-)