Hello,

We have a server with a permanent public IP.  We want a client to
be able to contact the server from any (dynamic) IP and establish
an IPsec tunnel to the server (to create a VPN).  I think this is
easy, you just need to specify the other address in IPsec rules (on
the client) as 0.0.0.0/0 (as in the example in NetBSD IPsec FAQ).

BUT, how can I tell racoon to start negotiating the IPsec policy
immediately?  If I start racoon, it just sits there, doing nothing.
I have to send a ping packet to the other end of the tunnel to get
racoon going.  What is the more elegant way? :)


The other problem is that the client's IP in the VPN is also
dynamically allocated.  Does racoon/IPsec provide a method for
allocating an IP from the server's VPN IP space and passing it to
the client?  We can't just pick any IP and expect it to work.


A bonus question: Do I always have to configure an aliased IP
(from the VPN IP space) to the client's network interface?  If so,
I need to get that IP from the server somehow.

We _could_ hardcode a unique IP for every client at the server
side, but that would require lots of work at both ends (assuming
there will be a large amount of clients out there).

Thanks for any kind of light you can provide.. :)

  -jm