From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 11 03:12:40 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8C6DB37B401; Mon, 11 Aug 2003 03:12:40 -0700 (PDT)
Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 994F943F85; Mon, 11 Aug 2003 03:12:39 -0700 (PDT)
	(envelope-from kent.hauser@verizon.net)
Received: from hnl ([4.3.107.135]) by out004.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030811101238.QQTE14849.out004.verizon.net@hnl>;
          Mon, 11 Aug 2003 05:12:38 -0500
From: Kent Hauser <kent.hauser@verizon.net>
To: Mike Tancsa <mike@sentex.net>
Date: Mon, 11 Aug 2003 00:11:58 -1000
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200308110011.58180.kent.hauser@verizon.net>
X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from
	[4.3.107.135] at Mon, 11 Aug 2003 05:12:38 -0500
cc: questions@freebsd.org
cc: security@freebsd.org
Subject: dynamic IPSEC
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 10:12:40 -0000

Hi Mike,

Had any progress? I've also by stymied for a clean solution. Previously, I 
used a simple SED script from executed from "/etc/ppp/ppp.linkup" to edit a 
"setkeys" script which then negotiated with the office ascend router/gw & all 
was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to 
static(FreeBSD) & that is proving problematic. Executing a SED script after 
DHCP of mobile is easy, but it seems I also need to SED the static host's SPD 
-- ie no wildcards allowed as in the ascend router situtation. Needless to 
say, allowing "unauthenticated" hosts (read anyone) to modify the SPD on a 
machine so that it can be authenticated strikes me as putting the cart before 
the horse.

When I install a "wildcard" host (0.0.0.0) on the static side, racoon only 
negotiates the mobile->static SAD...which is useless & expires. Seems to me 
that racoon needs to update kernel SPDs with wildcards to support mobile 
VPNs. At least that's all I've been able to come up with.

Have you found a silver bullet?

Cheers, Kent