Does anyone have any experience with IPsec under Linux? Particularly without IKE (or ISAKMP)? I’m trying to understand why both state (Security Associations) and policy have the option to match traffic. Specifically the SELECTOR and UPSPEC parameters in the ip-xfrm man page. I’m trying to understand why the SELECTOR is used in the state (SA) DB. It seems like I could have a generic [1] state (SA) that is used by multiple policies, via reqid. I would then have the multiple policies match traffic via SELECTORs. I.e. if I wanted to transport SMTP and IMAP through IPsec while not matching SSH between the machines. While reusing the same state (SA) for multiple policies. [1] as generic as IPsec can be. -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
