Subject: Re: how do I do this with our ipsec...
To: Perry E. Metzger <>
From: None <>
List: tech-security
Date: 06/23/2002 09:40:56
>So I want to do something that isn't that weird if you think about it,
>but which isn't that obvious to do. I have a wireless host, and I'd
>like to shove all cleartext traffic into an IPSEC tunnel to the NetBSD
>based gateway to the wired network, but not bother to double-encrypt
>stuff that is already in IPSec.
>I can't figure out for the life of me if it is possible to set this
>up, or how I'd try to do it. Yes, I've read our manual pages. They
>aren't very informative. Could someone with clue perhaps drop me a

	i didn't test it myself, but will something like this help?
	note that SPD entries are ordered, so first one that matches will be
	used. [you'll need a very recent kernel due to policy lookup bugfix]


spdadd ::1 ::1 50 -P out none;
spdadd ::1 ::1[22] tcp -P out none;
spdadd ::1[22] ::1 tcp -P out none;
spdadd ::1 ::1 any -P out ipsec esp/tunnel/::1-::1/use;