From owner-freebsd-questions@FreeBSD.ORG Mon Jul 14 06:34:50 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A353737B40A for ; Mon, 14 Jul 2003 06:34:50 -0700 (PDT) Received: from pyroxene.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7876143FF3 for ; Mon, 14 Jul 2003 06:33:29 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by pyroxene.sentex.ca (8.12.9/8.12.8) with ESMTP id h6EDXS8D067849 for ; Mon, 14 Jul 2003 09:33:28 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030714091115.01f2f7b0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 To: questions@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: IPSEC with Dynamic IP addresses X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Mon, 14 Jul 2003 13:34:51 -0000 X-Original-Date: Mon, 14 Jul 2003 09:34:13 -0400 X-List-Received-Date: Mon, 14 Jul 2003 13:34:51 -0000 Does anyone know of any documentation on how to do this ? I have searched through google and I find lots of references to people saying, "use certificates" but beyond that I havent found any actual documentation on how to do it. The setup is 30 client sites with dynamic IP addresses connecting to one headoffice that has a static IP address. The 30 client sites all have unique RFC 1918 based subnets behind them. The problem is how to do all the setkey business. The client end can find out the ip address its dynamically assigned and then do the appropriate setkey. But the headoffice cannot do the same thing as it has not built in way of knowing what the client endpoint is. I dont want to implement some additional protocol to send the HQ saying, "Hi, I am IP address xxx, please contruct your setkey accordingly" as it would be a security issue if not thought out correctly. These are all very remote sites, so analog dialup is the only connection available. Any pointers would be great. Currently we are using mpd to dialup and then tunnel across the mpd tunnel, but there is a resource leak somewhere in doing this. There are other problems with this method as well so we would like to avoid it. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike