Subject: Re: Using IKE with one fixed end and one dynamic end
To: Darren Reed <>
From: Thor Lancelot Simon <>
List: tech-net
Date: 10/30/2001 10:03:12
On Tue, Oct 30, 2001 at 10:46:59AM +1100, Darren Reed wrote:
> Hi,
>    Does anyone have any suggestions on how to configure IKE (racoon) for
> access to a LAN from cable internet (DHCP) ?  Can you assume you know
> nothing about the remote IP address ?  Particularly, what should
> the SPDs look like.

I think to get this right you need your IKE daemon to build and install
appropriate SPDs.  I see it as being the principal flaw of racoon that it
cannot do that; it makes it fundamentally unsuitable for what is increasingly
the most common case of IPsec deployment by new users ("road warrior" client
to corporate firewall/gateway).

If you want to deal with its horrible configuration syntax, I think you can
use isakmpd to do this.

Thor Lancelot Simon	                            
    And now he couldn't remember when this passion had flown, leaving him so
  foolish and bewildered and astray: can any man?
						   William Styron