Re: [Design] IPSec in 2.5 Kernel?

On 03/20/2003 02:39 AM, Derek Atkins wrote:
>
> I _presume_ what you mean is that you've got a VPN gateway at

Yes, that's what I mean when I speak of a subnet-to-subnets VPN.
> I also presume that the satellite

Yes, that's what I mean when I speak of dynamic addresses.

> If "automatic keying" means "IKE with RSA without

Yes, when I speak of automatic keying I mean IKE as opposed to manual keying. I forgot to mention RSA but yes, that's what I had in mind.

> then yes, it can do that (although only

I'm delighted to hear it.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

But tell me, how does my security policy get set up when my peers have non-static addresses? I know about racoon's generate_policy option as mentioned in e.g.

http://www.qnx.com/developer/docs/momentics_nc_docs/neutrino/utilities/r/racoon.conf.html

but my little brain doesn't see a convenient way to make it secure. Suppose a peer that's supposed to have access to one of my subnets wants access to another of (or all of) my subnets. How do I prevent this?