tech-net: Trying to set up a VPN from a dynamic address

Subject: Trying to set up a VPN from a dynamic address
To: None <netbsd-help@netbsd.org, tech-net@netbsd.org>
From: Chris Ross <cross+netbsd@distal.com>
List: tech-net
Date: 08/17/2005 14:34:51

   Hi there.  I hope someone one these lists can help me.  This is a 
request
for help, but it's fairly network-technical, so I hope the cross-post 
isn't
too much of a problem.

   I have a pair of NetBSD 2.0.x machines.  One of them is in a static
location with a static address (IPv4 and IPv6), and the other is at my
home behind a dynamically addressed broadband connection.  What
I'd like to do is set up routing (IPv4 and IPv6) across a tunnel that
is established by the machine at my home each time the address
changes.  It seems to be the easiest way to do this would be using 
IPsec,
since there's already authentication going on, and raccoon can be
configured to take a connection from a dynamic/random address.

   I looked at the documentation at:

http://netbsd.org/Documentation/network/ipsec/rasvpn.html

   But, as you see, it's for much more recent versions of NetBSD than
I'm running.  These are both important machines, so I'm running
released code on them.  I am hoping that I can continue to do
this, but if I absolutely have to, I could probably test a pre-3.0 tree
if I needed to.  I don't know how stable the 3.0_BETA branch is.
The first question is "Can this sort of thing be done with NetBSD 2.x?"

   Assuming so, any idea how?  I'm happy to use certificates, or even
pre-shared keys.  I don't need a "general purpose" VPN solution here,
just a solution to allow one dynamically-addressed connection to
come up.

   There is also not much information in the aforementioned web page
about how to route things through that connection.  Is it possible to
route across it?  Or do I have to create a tunnel interface?  I assume
it just sets up an IPSec connection to that one host, across the
normal route to that host.  Is there a way to hook actions into raccoon
on the statically-addressed machine that will make it either create
a tunnel interface, or simply route a network to the peer on the other
side of this new IPSec connection?

   Thank you.  All help is appreciated.  I presume the lists won't need
to be Cc'd on all of it, but I'll leave that decision to each responder.

                                            - Chris