[ previous ] [ next ] [ threads ]
 
 From:  George Farris <farrisg at mala dot bc dot ca>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Found a bug in IPsec.
 Date:  Wed, 11 Jan 2006 15:42:27 -0800 
It turns out that setting the remote subnet to a single host doesn't
seem to work.  So:

This works:
sainfo address 10.31.50.0/24 any address 198.162.241.0/24 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

This doesn't:
sainfo address 10.31.50.0/24 any address 198.162.241.51/32 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

This passes phase 1 but fails phase 2:
sainfo address 10.31.50.0/24 any address 198.162.241.51/24 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

-- 
George Farris   farrisg at mala dot bc dot ca
Malaspina University-College