Subject: Re: netkey API has severe problems
To: None <>
From: Alan Barrett <>
List: tech-kern
Date: 04/04/2000 10:55:41
On Tue, 4 Apr 2000 wrote:
> 	racoon should grab policy configuration from the kernel and compile
> 	IKE phase proposal based on it.  sakane (cc'ed) is working on it.

To deal with roaming users, you should be able to have a policy like
"I don't care what IP address the remote side uses; I require the
remote side to present a user_fqdn from a preconfigured list, and to
know the associated secret; then I want all traffic to be protected by
algorithms X and Y".  There's no way to configure such a policy into
the kernel; you have to configure it into racoon.

During ISAKMP phase 1, the kernel doesn't yet have any SPD or SAD
entries for the remote side, but racoon should be able to check that
the remote side has good credentials; only after phase 1 has completed
is it possible to add SPD entries to the kernel, because only now is
the remote side's IP address known.  racoon should add the SPD entry
to the kernel at the end of phase 1.

--apb (Alan Barrett)