[Ipsec-tools-devel] "road warrior" for transport mode clients?

[Dan W. <dw...@ol...>]

Hi,

I have a working configuration between two systems using transport mode. 
Each system is using kerberos to key the negotiations and I've verified 
that pings are encrypted with a network sniffer.

Both systems have nearly identical configuration:

/etc/racoon/racoon.conf:

listen {
        adminsock disabled;
}

remote anonymous {
        exchange_mode aggressive,main;
        proposal_check claim;
        generate_policy on;
        nat_traversal off;
        #dpd_delay 20;
        #ike_frag on;
        proposal {
                encryption_algorithm aes;
                #hash_algorithm md5;
                hash_algorithm sha1;
                #authentication_method hybrid_rsa_server;
                authentication_method gssapi_krb;
                dh_group 2;
                gss_id "host/host1.example.com";
        }
}

sainfo anonymous {
        #pfs_group 2;
        pfs_group 1;
        #lifetime time 1 hour;
        encryption_algorithm aes;
        #authentication_algorithm hmac_md5;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}




and my /etc/ipsec-tools.conf:

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 2610:b8::xx:xx:xx:1 2610:b8::xx:xx:xx:2 any -P out ipsec 
esp/transport//require;
spdadd 2610:b8::xx:xx:xx:2 2610:b8::xx:xx:xx:1 any -P in ipsec 
esp/transport//require;


This config has mostly been patched together from online examples.

One host (say ...xx:1) is an ISP server, and I want to optionally offer 
IPsec to clients upon request... that is, if a client were to configure 
their own /etc/ipsec-tools.conf script like above, then the server would 
set up the appropriate associations, on demand, without having to 
manually configure an ipsec-tools.conf with entries for each client.

Is this possible, and if so can anyone direct me to documentation on how 
to configure it?

Thank You,
- Dan