Re: IPsec vs ssh

To: Greg Troxel <gdt%ir.bbn.com@localhost>
Subject: Re: IPsec vs ssh
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Tue, 12 Nov 2013 12:41:17 +1100

On 12/11/2013 12:37 PM, Greg Troxel wrote:
> 
> Darren Reed <darrenr%netbsd.org@localhost> writes:
> 
>> The man page for setkey seems to suggest that there is a priority
>> mechanism that would allow me to create a "none" SPD for ssh
>> packets but setkey on NetBSD doesn't support this. If I understand
>> correctly, if it was present then I would do something like this:
>>
>> spdadd A.B.C.D/32 E.F.G.0/24 any -P in priority low ipsec
>> esp/tunnel/A.B.C.D-E.F.G.H/require;
>> spdadd E.F.G.0/24 A.B.C.D/32 any -P out priority low ipsec
>> esp/tunnel/E.F.G.H-A.B.C.D/require;
>> spdadd A.B.C.D/32[22] E.F.G.0/24[any] tcp -P in priority high none;
>> spdadd E.F.G.0/24[any] A.B.C.D/32[22] tcp -P out priority high none;
> 
> I have only skimmed this rather huge (and surprisingly contentious)
> thread.
> 
> Two points about your policies:
> 
>   They have to match on both ends, inversely.

When NAT is involved and NetBSD is behind the NAT device, how can they?

Darren

Follow-Ups:
- Re: IPsec vs ssh
  - From: Greg Troxel

References:
- IPsec vs ssh
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: Greg Troxel

Prev by Date: Re: IPsec vs ssh
Next by Date: Re: IPsec vs ssh
Previous by Thread: Re: IPsec vs ssh
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index