Subject: ipsec_set_policy(3) syntax for multiple tunnel endpoints
To: None <firstname.lastname@example.org>
From: Matthias Drochner <M.Drochner@fz-juelich.de>
Date: 06/17/2002 17:58:58
I've set up a gateway which acts as a ipsec tunnel endpoint for
a number of wireless machines.
The setup is similar to the "leaf-node tunnel" example in the ipsec FAQ
ipsec.conf on the wireless client A looks like:
spdadd A 0.0.0.0/0 any -P out ipsec esp/tunnel/A-R/require;
spdadd 0.0.0.0/0 A any -P in ipsec esp/tunnel/R-A/require;
where R is the router and A, B, C... are the clients.
On the router R the list gets longer:
spdadd 0.0.0.0/0 A any -P out ipsec esp/tunnel/R-A/require;
spdadd A 0.0.0.0/0 any -P in ipsec esp/tunnel/A-R/require;
spdadd 0.0.0.0/0 B any -P out ipsec esp/tunnel/R-B/require;
spdadd B 0.0.0.0/0 any -P in ipsec esp/tunnel/B-R/require;
spdadd 0.0.0.0/0 C any -P out ipsec esp/tunnel/R-C/require;
spdadd C 0.0.0.0/0 any -P in ipsec esp/tunnel/C-R/require;
spdadd 0.0.0.0/0 DLNET any -P out discard;
spdadd DLNET 0.0.0.0/0 any -P in discard;
DLNET is the network where all the diskless boxes are in.
Obviously, this doesn't scale well. It would be nice
just to need two lines like:
spdadd 0.0.0.0/0 DLNET any -P out ipsec esp/tunnel/R-(=PEER)/require;
where (=PEER) would evaluate to the actual connection partner from
DLNET at runtime.
Is there already a way which I missed?
Or isn't this a good idea in general?