Subject: ipsec_set_policy(3) syntax for multiple tunnel endpoints
To: None <>
From: Matthias Drochner <>
List: tech-net
Date: 06/17/2002 17:58:58
Hi -
I've set up a gateway which acts as a ipsec tunnel endpoint for
a number of wireless machines.
The setup is similar to the "leaf-node tunnel" example in the ipsec FAQ
ipsec.conf on the wireless client A looks like:

spdadd A any -P out ipsec esp/tunnel/A-R/require;
spdadd A any -P in ipsec esp/tunnel/R-A/require;

where R is the router and A, B, C... are the clients.

On the router R the list gets longer:

spdadd A any -P out ipsec esp/tunnel/R-A/require;
spdadd A any -P in ipsec esp/tunnel/A-R/require;
spdadd B any -P out ipsec esp/tunnel/R-B/require;
spdadd B any -P in ipsec esp/tunnel/B-R/require;
spdadd C any -P out ipsec esp/tunnel/R-C/require;
spdadd C any -P in ipsec esp/tunnel/C-R/require;
spdadd DLNET any -P out discard;
spdadd DLNET any -P in discard;

DLNET is the network where all the diskless boxes are in.

Obviously, this doesn't scale well. It would be nice
just to need two lines like:

spdadd DLNET any -P out ipsec esp/tunnel/R-(=PEER)/require;

where (=PEER) would evaluate to the actual connection partner from
DLNET at runtime.

Is there already a way which I missed?
Or isn't this a good idea in general?

best regards