I've been ripping my hair out trying to figure out how to securely use
the ipsec stuff in -current to allow a secure connection between my
local ether and the raylink machines.  I'd really like to nfs mount my
home directories over the raylink, but there is no way I'm going to do
that without some crypto in there.  (Only the fbi and cia are
confident enough to export their nfs disks r/w to the world.)

As a first stab I've setup the raylink and local ethers to be two
different /24's.  One of the machines on the local ether is
dual-ported onto the raylink net.  Ideally I'd like a setkey.conf rule
that say "If either src or dest IP address is on the raylink require
crypto.  Ideally I'd like the tunnel (or transport) to extend
end-to-end.  Most of the examples I could find all deal with a
three-network system; two secure nets separated by a public net.  Even
though it sounds simple, I can't figure out a similar setup for the
two-network case.  All the ideas I've had end up with either no
communication or no encryption.  Does anyone have a working example?

Are the setkey-loaded ipsec rules longest-prefix match (like CIDR) or
first or last match?  I was wondering if one could do a "deny all" and
then open it up if certain conditions were met.

As an aside, which encryption modes are appropriate for UDP?  Can one
use xxx-cbc?  I was wondering what happens with a dropped UDP packet.
Does the -cbc at both ends get out of sync and the communication
stops?  In practice does one have to use ah with esp to prevent forged
packets from being constructed and injected?  Comments to RTFM welcome
as long as they include pointers to TFM. ;-)

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html