From owner-freebsd-hackers Mon Jul 3 9:42:22 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from ada.eu.org (marvin.enst.fr [137.194.161.2]) by hub.freebsd.org (Postfix) with ESMTP id 773F537BDF6 for ; Mon, 3 Jul 2000 09:42:17 -0700 (PDT) (envelope-from sam@antinea.enst.fr) Received: from antinea.enst.fr (antinea.enst.fr [137.194.160.145]) by ada.eu.org (Postfix) with ESMTP id 6764C191CF; Mon, 3 Jul 2000 18:42:15 +0200 (CEST) Received: by antinea.enst.fr (Postfix, from userid 1000) id 07CBE344; Mon, 3 Jul 2000 18:42:13 +0200 (CEST) To: hackers@freebsd.org Subject: IPsec tunnels with dynamic addresses Mime-Version: 1.0 (generated by tm-edit 1.5) Content-Type: text/plain; charset=US-ASCII Date: 03 Jul 2000 18:42:12 +0200 Lines: 25 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "Capitol Reef" From: Samuel Tardieu Organization: Ecole Nationale Superieure des Telecommunications Reply-To: Samuel Tardieu Content-Transfer-Encoding: 8bit X-WWW: http://www.inf.enst.fr/~tardieu/ X-Mail-Processing: Sam's procmail tools X-ICQ: 21547599 Message-Id: <2000-07-03-18-42-13+trackit+sam@antinea.enst.fr> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The current situation: I have some machines with static IP addresses, and some other ones with dynamic IP addresses, permanently connected or not. What I would like: establish IPsec tunnels between a machine with a static IP and a machine with a dynamic one. The former solution I used: pipsecd, written by Pierre Beyssac, allows you to configure IPsec tunnels without having an IPsec stack in your kernel. These tunnels can have dynamic addresses: when an IPsec packet enters the machine with a static IP and has the right signature, this changes the tunnel dynamic end to be the machine that sent the packet. That means that sending a single packet from a new IP address was enough to reconfigure the whole tunnel. Is that doable with the current IPsec kernel implementation? Can we dynamically change security policies so that a new tunnel is created when some a packet with the right SPI is received? How can one intercept IPsec packet, since they are not tagged IPsec anymore when they arrive in userland? Sam -- Samuel Tardieu -- sam@inf.enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message