Subject: Re: Using IKE with one fixed end and one dynamic end
To: Shoichi Sakane <sakane@kame.net>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-net
Date: 10/30/2001 14:04:59
In some email I received from Shoichi Sakane, sie wrote:
> > Does anyone have any suggestions on how to configure IKE (racoon) for
> > access to a LAN from cable internet (DHCP) ? Can you assume you know
> > nothing about the remote IP address ? Particularly, what should
> > the SPDs look like.
>
> i always define the SPD like the following.
> at the client side,
> spdadd 0.0.0.0/0 server any -P out ipsec esp/transport//require;
> spdadd server 0.0.0.0/0 any -P in ipsec esp/transport//require;
>
> at the server side,
> spdadd server 0.0.0.0/0 any -P out ipsec esp/transport//use;
> spdadd 0.0.0.0/0 server any -P in ipsec esp/transport//use;
> and i specify "passive on" in the configuration file of the racoon
> at the server.
Won't this wlao prevent non-ipsec traffic from leaving the server ?
Oh, no, because you don't "require", only "use" if suggested by the
client, right ?
What if you want to do tunnelling and the remote end has a
dynamic IP address ? What do you fill in for "remote" below ?
spdadd 10.1.1.1 0.0.0.0/0 any -P out ipsec esp/tunnel/10.1.1.1-remote/use;
spdadd 0.0.0.0/0 10.1.1.1 any -P in ipsec esp/tunnel/remote-10.1.1.1/use;
Darren