The man page for setkey (from ipsec-tools-0.2.2) says the following regarding SPD entries:
upperspec
Upper-layer protocol to be used. You can use one of words in
/etc/protocols as upperspec. Or icmp6, ip4, and any can be spec-
ified. any stands for "any protocol". Also you can use the pro-
tocol number. You can specify a type and/or a code of ICMPv6
when Upper-layer protocol is ICMPv6. the specification can be
placed after icmp6. A type is separated with a code by single
comma. A code must be specified anytime. When a zero is speci-
fied, the kernel deals with it as a wildcard. Note that the ker-
nel can not distinguish a wildcard from that a type of ICMPv6 is
zero. For example, the following means the policy doesn't
require IPsec for any inbound Neighbor Solicitation.
spdadd ::/0 ::/0 icmp6 135,0 -P in none;
Is this capability implemented in the 2.5 kernel IPSec?
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
