Re: Configuring sainfo in racoon(8)

From: Greg Panula (greg.panula@dolaninformation.com)
Date: 06/24/02


Date: Sun, 23 Jun 2002 19:37:22 -0500
From: Greg Panula <greg.panula@dolaninformation.com>
To: cjclark@alum.mit.edu


"Crist J. Clark" wrote:
>
-- <clip> --
>
> I want to use 'user_fqdn' because,
>
> 1) One end has a dynamic address so I can't specify 'sainfo' with
> an address, and
>
> 2) I (will) have different policies for different peers so I do not
> want to use an 'anonymous' 'sainfo.'
>
> I have no attachment to using 'user_fqdn,' it's just that I don't want
> to try to use addresses since one end is dynamic, and 'user_fqdn'
> seemed the obvious choice from the racoon.conf(5) docs.

Ok, maybe some confusion on what the sainfo part of racoon.conf really
does. To best of my knowledge the sainfo part really just sets up the
encryption used by ESP;algorithms & lifetime.

So, using an anonymous sainfo in racoon.conf doesn't really go against
your requirements. You can use the phase 1 section(remote) to allow the
remote end to set the policy: 'proposal_check claim: obey' will do the
trick. Just configure the sainfo anonymous to support a wide variety of
algorithms and the "obey part" will take care of the lifetime setting.

The rub you'll run into with dynamic addresses on the remote end is
finding a matching spd(ipsec policy). Creative use of 0.0.0.0 and 'use'
instead of 'require' might work but I haven't built up the gumption to
try, yet. Notes about using PGPNet and ipsec might have something
useful about dynamic ip addresses.

Hope this helps,
  Greg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message