Subject: Re: Using IKE with one fixed end and one dynamic end
To: Shoichi Sakane <>
From: Darren Reed <>
List: tech-net
Date: 10/30/2001 14:04:59
In some email I received from Shoichi Sakane, sie wrote:
> >    Does anyone have any suggestions on how to configure IKE (racoon) for
> > access to a LAN from cable internet (DHCP) ?  Can you assume you know
> > nothing about the remote IP address ?  Particularly, what should
> > the SPDs look like.
> i always define the SPD like the following.
> at the client side,
> 	spdadd server any -P out ipsec esp/transport//require;
> 	spdadd server any -P  in ipsec esp/transport//require;
> at the server side,
> 	spdadd server any -P out ipsec esp/transport//use;
> 	spdadd server any -P  in ipsec esp/transport//use;
> and i specify "passive on" in the configuration file of the racoon
> at the server.

Won't this wlao prevent non-ipsec traffic from leaving the server ?
Oh, no, because you don't "require", only "use" if suggested by the
client, right ?

What if you want to do tunnelling and the remote end has a
dynamic IP address ?  What do you fill in for "remote" below ?

spdadd any -P out ipsec esp/tunnel/;
spdadd any -P  in ipsec esp/tunnel/remote-;