Re: [Ipsec-tools-users] Question about setkey

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Wed, 27 Aug 2008, Sean Hughes wrote:

>
> I'm learning about IPsec and while I was reading about the setkey.conf I 
> saw the following lines, with each "add" representing a security

[...snip...]

> My question is: Why would you need to provide the source address if the 
> association are based on destination address and SPI ? Is this a 
> unnecessary requirement or this information (source address) can be used 
> elsewhere?

My understanding is that racoon(8) should install all of these ipsec 
policies automatically on-demand (for road warriors, etc.).

In NetBSD 3.x, though, I always had to popualte ipsec.conf -- and never 
questioned it --- because they were static tunnels.

~BAS