[Openswan Users] Multiple left

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Trevor" == Trevor Benson <tbenson at a-1networks.com> writes:
    >> >>>>> "Trevor" == Trevor Benson <tbenson at a-1networks.com> writes:
    Trevor> Can left= have more then one address? That way a single

    >> No.

    Trevor> Can you then just treat left and right the same, and make
    Trevor> both 0.0.0.0/0 and rely on certificates for authentication,
    Trevor> and let the client decide which IP address they would need
    Trevor> to connect to based on Using internet VPN or wireless VPN?

  What you are proposing simply attempts to get around the
user-interface. 
  At the IKE level one can only put a single address+mask in.

  Yes, you could create a tunnel for:
       me/32 <-> 0.0.0.0/0	 => gateway

  but that would route *all* traffic to the Internet via the
gateway. There are lots of reasons to do that, mind you. Securing
wireless to the base station is a good one, and we have done this
regularly.  (see www.wavesec.org for one automated way)

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQMnsGIqHRg3pndX9AQHURAP/a5SyLMqyeM56HEgsuvLOUZ1hjJBialQj
Loc7FWwyvfNIfRusVjF1gkJycvIpzEQ5GatnmBl7hZz5HKy106WuF5oT4TkLa3J+
H7aJPJhmasBr75fNPzbbpnZfGsUKY4iM01jtahecRFvfe6EMSd9P97OfZZXPNRTQ
At2l68S5D94=
=uAXH
-----END PGP SIGNATURE-----