Subject: Re: src-ip for tunnel exterior
To: None <itojun@iijlab.net>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 01/23/2001 21:35:42
>>>>> "itojun" == itojun  <itojun@iijlab.net> writes:
    >> When connecting via dialup/dhcp, I seem to have to edit my SPD entries to
    >> accomodate the changes in the outer IP address:
    >> 
    >> spdadd A.B.C.D/32 A.B.C.0/24 any -P out ipsec esp/tunnel/E.F.G.H-Q.R.S.T/require;
    >> 
    >> I would like to leave E.F.G.H unspecified. Can I put 0.0.0.0 in there and
    >> let the routing system pick the appropriate outgoing IP? The man page says
    >> nothing about doing that.
    >> {Later tonight, I'll use the source}

    itojun> 	i don't think it is supported.  how can you inform of your change to
    itojun> 	the other end's policy table?

  I can see that this won't work for Racoon/Racoon, but TimeStep Permit at
the end does let me do this. Once I establish a tunnel for the inside
addresses, they will route stuff to me.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@solidum.com   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [