tech-net: Re: Using IKE with one fixed end and one dynamic end

Subject: Re: Using IKE with one fixed end and one dynamic end
To: Shoichi Sakane <sakane@kame.net>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-net
Date: 10/30/2001 14:04:59

In some email I received from Shoichi Sakane, sie wrote:
> >    Does anyone have any suggestions on how to configure IKE (racoon) for
> > access to a LAN from cable internet (DHCP) ?  Can you assume you know
> > nothing about the remote IP address ?  Particularly, what should
> > the SPDs look like.
> 
> i always define the SPD like the following.
> at the client side,
> 	spdadd 0.0.0.0/0 server any -P out ipsec esp/transport//require;
> 	spdadd server 0.0.0.0/0 any -P  in ipsec esp/transport//require;
> 
> at the server side,
> 	spdadd server 0.0.0.0/0 any -P out ipsec esp/transport//use;
> 	spdadd 0.0.0.0/0 server any -P  in ipsec esp/transport//use;
> and i specify "passive on" in the configuration file of the racoon
> at the server.

Won't this wlao prevent non-ipsec traffic from leaving the server ?
Oh, no, because you don't "require", only "use" if suggested by the
client, right ?

What if you want to do tunnelling and the remote end has a
dynamic IP address ?  What do you fill in for "remote" below ?

spdadd 10.1.1.1 0.0.0.0/0 any -P out ipsec esp/tunnel/10.1.1.1-remote/use;
spdadd 0.0.0.0/0 10.1.1.1 any -P  in ipsec esp/tunnel/remote-10.1.1.1/use;

Darren