by redmail.netbsd.org with SMTP; 13 Mar 2000 02:43:24 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA06372;
	Mon, 13 Mar 2000 11:43:00 +0900 (JST)
To: thorpej@shagadelic.org
cc: tech-security@netbsd.org
cc: sakane@ame.net
In-reply-to: thorpej's message of Sun, 12 Mar 2000 18:03:36 PST.
      <20000312180336.A1139@dhcp0.wlan.shagadelic.org>
Subject: Re: IPsec configuration issues
From: itojun@iijlab.net
Date: Mon, 13 Mar 2000 11:43:00 +0900
Message-ID: <6370.952915380@coconut.itojun.org>


>...this might really belong on tech-net, but...

	need to write up more documents...

>I've been having some trouble figuring out how to get setkey(8)/racoon(8)
>to do precisely want I want.
>
>To summarize, I have a server which serves data to some mobile stations
>which have dynamically assigned addresses, often not on networks which
>are under the administrative control of the server's admin (me :-)

	Normally IKE uses IP addresses to identify the peer.  There are
	two possible workarounds:
	1. Get X.509 certificates and use those for authentication.
	2. Use user_fqdn identifier type.  psk.txt should include
	   something like this:
>itojun@itojun.org	secretkey
	   and the client side needs to present user_fqdn identifier.
	   This hack is from ashley-laurent's VPN box.
	   (I have never used this - sakane-san please confirm)

	I'm afraid (1) is not in the NetBSD tree yet (in KAME tree).

>Now, the server's addresses (it has 2) are static.  However, I need a
>way to say "any" for the other end.  In English, I'd like to say this:
>	For all packets destined to <ip_address_of_server>[tcp port 110],
>	they must be encrypted with <algorithm>.

	inetd.conf "#@" hack should be useful here.

#@ in ipsec esp/transport//require
pop3  stream	tcp	nowait	root	/usr/pkg/libexec/qpopper	qpopper -s
#@

itojun