From: Adam B. <Adam.Baum@MesaAZ.gov> - 2010-03-24 17:36:27
|
I would like to issue a blanket spdadd for a 10.0.0.0 network and then exclude two subnet such as 10.10.0.0 and 10.13.0.0. When I add the spddelete range to my setkey.conf file and run it, I get an error: The result of line 7: No entry. Line 7 happens to be the line where I issue spddelete. Is there a way to accomplish the exclusion of two subnets? adam |
From: s S <get...@gm...> - 2010-03-25 07:12:27
|
Hi Adam, Here the spddelete is not required, instead it could be done as follows, 1. Add the rules to block/not apply ipsec to the IP range that has to be excluded. 2. Add your blanket rule. E.g: Suppose if 50.0.0.1 is the IP of your PC then for a transport mode connection with both ESP and AH the setkey.conf should have the following rules, # Rule to exclude 10.10.0.0 from ipsec. Change the "none" to "discard" to block traffic from/to 10.10.0.0 spdadd 50.0.0.1 10.10.0.0/16 any -P out none; spdadd 10.10.0.0/16 50.0.0.1 any -P in none; # Rule to exclude 10.13.0.0 from ipsec. Change the "none" to "discard" to block traffic from/to 10.13.0.0 spdadd 50.0.0.1 10.13.0.0/16 any -P out none; spdadd 10.13.0.0/16 50.0.0.1 any -P in none; # Blanket rule to apply ipsec for 10.0.0.0 spdadd 50.0.0.1 10.0.0.0/8 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.0.0.0/8 50.0.0.1 any -P in ipsec esp/transport//require ah/transport//require; Hope this helps. Regards, Laser On Wed, Mar 24, 2010 at 10:56 PM, Adam Baum <Ada...@me...> wrote: > I would like to issue a blanket spdadd for a 10.0.0.0 network and then > exclude two subnet such as 10.10.0.0 and 10.13.0.0. When I add the > spddelete range to my setkey.conf file and run it, I get an error: The > result of line 7: No entry. Line 7 happens to be the line where I issue > spddelete. Is there a way to accomplish the exclusion of two subnets? > > > > adam > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > |