by redmail.netbsd.org with SMTP; 13 Mar 2000 02:07:42 -0000
	id A767F4610; Sun, 12 Mar 2000 18:03:36 -0800 (PST)
Date: Sun, 12 Mar 2000 18:03:36 -0800
From: Jason R Thorpe <thorpej@shagadelic.org>
To: tech-security@netbsd.org
Subject: IPsec configuration issues
Message-ID: <20000312180336.A1139@dhcp0.wlan.shagadelic.org>
Reply-To: thorpej@shagadelic.org
Mail-Followup-To: tech-security@netbsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Organization: Zembu Labs, Inc.

...this might really belong on tech-net, but...

I've been having some trouble figuring out how to get setkey(8)/racoon(8)
to do precisely want I want.

To summarize, I have a server which serves data to some mobile stations
which have dynamically assigned addresses, often not on networks which
are under the administrative control of the server's admin (me :-)

Some of the services that the server provides have some security problems
of their own (e.g. POP3), and IPsec is the most obvious way to address them
for a variety of reasons.

Now, the server's addresses (it has 2) are static.  However, I need a
way to say "any" for the other end.  In English, I'd like to say this:

	For all packets destined to <ip_address_of_server>[tcp port 110],
	they must be encrypted with <algorithm>.

There will be one key for each client, and it will be a fairly static thing
(much like an ssh_host_key).  However, the IP address of the client will
NOT be static.

There's not an obvious way to do this from what's documented in the
setkey(8) and racoon(8) manual pages.

Any experts on these programs have some suggestions?

-- 
        -- Jason R. Thorpe <thorpej@shagadelic.org>