Hosting Provided By

[Design] ipsec.conf alsoflip=

From: D. Hugh Redelmeier <hugh(at)mimosa.com>
Date: Tue Mar 25 2003 - 22:05:12 EST

-----BEGIN PGP SIGNED MESSAGE-----
There are a number of useful tricks in writing ipsec.conf files.

One of them is to use the also= option to build conns in a modular way.

Consider n networks that will be used in a VPN. Each node's ipsec.conf needs up to n-1 conns describing its connections with others. One convenient trick is to distribute a file with a conn for each network, specifying only that network (leaving out the other side). By convention, make that system "right" (mnemonic: "remote" also starts with r).

Each SG would have its own ipsec.conf with a (partial) conn defining itself as left (like "local", it starts with l). Then there would be a conn for each connection:

conn joe-to-fred

	also=joe-as-left
	also=fred-as-right

The VPN need not be a complete graph for this approach to work.

There is one minor annoyance. Each system must be described somewhere as a left and somewhere as a right. I've added a new option to elmiminate this redundancy: alsoflip.

alsoflip can be used just like also. The only difference is that everything that gets merged into the conn via alsoflip is exchanged left for right.

Do you need help?

conn joe-to-fred

	alsoflip=joe
	also=fred

Claudia: do you need to document this? I've described it in ipsec.conf(5).

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPoEY7MFAuQPManGZAQFZLQP+NV7u35x7tE6ydhlNVRdxlIaUu6xW9K9J /G3ugnoOKrFFbBd3Ys6AkkjCmL76RroEDTdcJV4YZ6v+MWzeDdbsEuI88XV54Sta d6jwNTCMKBK6B5zJdIFfnCBb4NRwReA9A5dHrgQAs6f4pNUOv5WZxEg3t5DrDNhT YHjZSD89638=
=PF8m
-----END PGP SIGNATURE-----

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Wed Mar 26 11:19:48 2003

This message: [ Message body ]
Next message: D. Hugh Redelmeier: "[Design] ipsec auto --status: more description for bare shunts"
Previous message: D. Hugh Redelmeier: "Re: [Design] pluto broken in HEAD"
In reply to D. Hugh Redelmeier: "[Design] some changes to delete patch, as commited by Sam"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:57 EDT