On Wed, Dec 25, 2002 at 06:40:13PM +0900, itojun@iijlab.net wrote:
> 
> 	even in the latest KAME tree there's no support for IP address range.
> 	we have no plans on this one.

For what it's worth, during interoperability testing where I work, we
noticed that a number of commercial IKE implementations consistently express
subnets given in their policies as *ranges* in the Phase 2 client identifier
used on the wire.  This is silly, but I suppose they do it so that they can
use a single internal representation for either subnets or ranges.  So you
can configure such a client to protect 172.16.0.0/24, but on the wire it
will use a client identifier of "range 172.16.0.0-172.16.0.255" and if the
peer can't recognize that as equivalent to 172.16.0.0/24, Phase 2 will fail.

I don't know if racoon can detect ranges that are equivalent to subnets it
found in the SPDB.  This particular peer misbehaviour is common enough that
most implementations (including at least one free one) do work around it as
a matter of course, even though they don't themselves allow ranges to be
specified in the SPDB or other IKE daemon configuration.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud