Re: dynamic authenticated tunnel set-up

[christos%astron.com@localhost (Christos Zoulas)]

In article <Pine.NEB.4.64.1402121206510.8692%screamer.whooppee.com@localhost>,
Paul Goyette  <paul%whooppee.com@localhost> wrote:
>In the not-too-distant future, I'll be moving overseas, to a location where 
>fixed IPv4 network addresses are unavailable (or at least, they will be 
>prohibitively expensive!)
>
>I'm planning to get a virtual machine in a US location, with a single fixed 
>IPv4 address.  All of my other machines will be sitting behind some ISP's NAT 
>device.  And that ISP doesn't do IPv6.
>
>I would like to set things up so that my US-based virtual host is a backup MX 
>mail server for my domain, and one of the behind-the-NAT machines would be the 
>primary mail server.
>
>I can get an adequate supply of fixed IPv6 addresses from the company that 
>hosts the US-based virtual machine, so I can assign addresses to the 
>behind-the-NAT machines.  But I would need some sort of tunnel between the 
>virtual host and the rest of the machines.
>
>I know I can set this up using "ssh -w" and tun(4) devices, but the ssh man 
>page seems to indicate that this is not necessarily a good solution (due to 
>significant overhead?).
>
>So I'm looking for other options.  My primary requirements are fairly simple:
>
>* the tunnel needs to be established regardless of the address/port being used 
>on the behind-the-NAT end
>
>* the tunnel establishment must be authenticated in some manner, so that only 
>my systems can connect
>
>* the outer (encapsulating) protocol must be IPv4, while the inner 
>(encapsulated) protocol must be IPv6
>
>* it would also be highly desired that the tunnel establishment occur 
>automatically, and with automatic retry if the connection drops
>
>Any suggestions on something simple?

Not too simple, but I use L2TP via the pkgsrc xl2tpd.

christos