Re: linux-ipsec: Configuration commands

> >From klips/doc/rgb_setup file in the distribution:
> > Note: The ipsec interface IP, broadcast address and netmask should be
> > identical to the physical interface to which it is attached.
>
> Shouldn't the IPSEC device inherit addresses and netmask, then? Why is
> the second command above necessary? For that matter, why isn't the
> whole thing just:
> ipsec attach ipsec0 eth0

Because the whole thing is done at an even higher level than that -- the config file specifies the ipsec/physical connection, and "ipsec setup start" puts it into effect. (This may need elaboration because of odd cases like laptops with interfaces being plugged and unplugged -- that's on my to-be-looked-at-soon list -- but the basic idea will remain: the interface names are specified in a configuration file, not on the command line.) Oh yes, and "ipsec setup start" figures out how to configure the ipsec device by looking at the physical device, as it should.

> Notes like the one above scare me. I'm inclined to assume that if users
> can get something wrong, some of them will.

klips/doc/rgb_setup either should be removed from the distribution entirely, or should change drastically into a "theory and practice for advanced users" document. Almost all the actual recipes in it have been rendered obsolete, for normal users, by "ipsec manual".

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)