Subject: IPsec setup (dynamic IP)
To: NetBSD Users <netbsd-users@netbsd.org>
From: Jukka Marin <jmarin@embedtronics.fi>
List: netbsd-users
Date: 07/01/2003 18:23:49
Hello,
We have a server with a permanent public IP. We want a client to
be able to contact the server from any (dynamic) IP and establish
an IPsec tunnel to the server (to create a VPN). I think this is
easy, you just need to specify the other address in IPsec rules (on
the client) as 0.0.0.0/0 (as in the example in NetBSD IPsec FAQ).
BUT, how can I tell racoon to start negotiating the IPsec policy
immediately? If I start racoon, it just sits there, doing nothing.
I have to send a ping packet to the other end of the tunnel to get
racoon going. What is the more elegant way? :)
The other problem is that the client's IP in the VPN is also
dynamically allocated. Does racoon/IPsec provide a method for
allocating an IP from the server's VPN IP space and passing it to
the client? We can't just pick any IP and expect it to work.
A bonus question: Do I always have to configure an aliased IP
(from the VPN IP space) to the client's network interface? If so,
I need to get that IP from the server somehow.
We _could_ hardcode a unique IP for every client at the server
side, but that would require lots of work at both ends (assuming
there will be a large amount of clients out there).
Thanks for any kind of light you can provide.. :)
-jm