tech-crypto: Re: Order of SPD evaluation in ipsec

Subject: Re: Order of SPD evaluation in ipsec
To: Christoph Kaegi <kgc@zhwin.ch>
From: None <itojun@iijlab.net>
List: tech-crypto
Date: 05/09/2001 19:02:21

>I am setting up two NetBSD 1.5 boxes wich tunnel and 
>(ESP) encrypt traffic like follows:
(snip)
>If have successfully set up the systems, traffic gets
>encrypted between the boxes.
>But how can I drop all Packets on the Boxes, which
>aren't from or to Net[1234] ?
>I tried with additional SPD entries like:
>   # disallow everything else
>   spdadd Net1 0.0.0.0/0 any -P out discard ;
>   spdadd 0.0.0.0/0 Net1 any -P in discard;
>... at the *end* of my /etc/ipsec.conf.
>This doesn't work. (No connection at all anymore)

	SPD entry works like packet filters - first one that matches will
	decide the behavior.

itojun