Subject: Re: Using IKE with one fixed end and one dynamic end
To: None <>
From: Shoichi Sakane <>
List: tech-net
Date: 10/30/2001 12:32:39
> In some email I received from Shoichi Sakane, sie wrote:
> > >    Does anyone have any suggestions on how to configure IKE (racoon) for
> > > access to a LAN from cable internet (DHCP) ?  Can you assume you know
> > > nothing about the remote IP address ?  Particularly, what should
> > > the SPDs look like.

> > i always define the SPD like the following.
> > at the client side,
> > 	spdadd server any -P out ipsec esp/transport//require;
> > 	spdadd server any -P  in ipsec esp/transport//require;

> Won't this wlao prevent non-ipsec traffic from leaving the server ?
> Oh, no, because you don't "require", only "use" if suggested by the
> client, right ?

sorry, i was miswriting.  these were actually,
	spdadd ::/0 server[110] any -P out ipsec esp/transport//require;
	spdadd server[110] ::/0 any -P  in ipsec esp/transport//require;
	spdadd ::/0 server[25] any -P out ipsec esp/transport//require;
	spdadd server[25] ::/0 any -P  in ipsec esp/transport//require;

these are recently, :-)
	spdadd  ::/0[53] ::/0 any -P in none;
	spdadd  ::/0 ::/0[53] any -P out none;
	spdadd  ::/0 ::/0 any -P out ipsec esp/transport//use;
	spdadd  ::/0 ::/0 any -P in ipsec esp/transport//use;

so my laptop always try to negotiate IKE with every nodes even if the
negotiation will fail.

> What if you want to do tunnelling and the remote end has a
> dynamic IP address ?  What do you fill in for "remote" below ?
> spdadd any -P out ipsec esp/tunnel/;
> spdadd any -P  in ipsec esp/tunnel/remote-;

in the tunnel mode, the SPD doesn't support that the client ip address
is assigned dynamically.  there is the "generate_policy" hack in racoon.
in this hack, you don't need to define any policy in the server side.
you only have to define the policy at the client after the ip address is