Hi,

Two things of note here:

1) Since the VPN client is dynamic you need to generate policy 
dynamically on the client side. I have scripts that do this but 
essentially what I did was to hook dhcp or pppoe as appropriate and 
generate policy (I used sed on a template ipsec.conf) based on the 
address it acquired. pppoe requires ifwatchd, dhclient can call a script 
when an address is acquired.

2) you want to change

sainfo address 10.0.0.0/24 any address 10.0.24.0/23 any {
	lifetime time 1 hours;
	encryption_algorithm aes;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

to be the *external* addresses of the tunnel.  To deal with the dynamic aspect, you may want to just use "sainfo anonymous".

The VPN server must have a "remote anonymous" clause to deal with VPN clients that originate from an unknown address.  The "generate policy" statement need only apply to this specific clause. 

skd


Matthias Scheler wrote:

>	Hello,
>
>I've got a VPN client running ipsec-tools 0.6.1 under NetBSD 3.0_BETA.
>When the DSL link goes up it creates and loads a "ipsec.conf" like
>this one:
>
>spdadd 10.0.0.0/24 10.0.24.0/23 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
>spdadd 10.0.24.0/23 10.0.0.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
>
>10.0.0.0/24	local protected network
>5.6.7.8		local public dynamically assigned IP address
>
>10.0.24.0/23	remote protected network
>1.2.3.4		remote public fixed IP address used by VPN peer
>
>"racoon" is configured like this:
>
>path pre_shared_key "/etc/racoon/psk.txt";
>
>listen {
>	adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
>	isakmp 0.0.0.0 [500];
>	isakmp_natt 0.0.0.0 [4500];
>}
>
>remote 1.2.3.4 {
>	exchange_mode aggressive;
>	my_identifier user_fqdn "foobar@domain.com";
>	peers_identifier address 1.2.3.4;
>	proposal_check obey;
>	passive off;
>	nat_traversal on;
>	proposal {
>		authentication_method pre_shared_key;
>		encryption_algorithm aes;
>		hash_algorithm sha256;
>		dh_group 2;
>		lifetime time 24 hours;
>	}
>}
>
>sainfo address 10.0.0.0/24 any address 10.0.24.0/23 any {
>	lifetime time 1 hours;
>	encryption_algorithm aes;
>	authentication_algorithm hmac_sha1;
>	compression_algorithm deflate;
>}
>
>Things which don't work:
>
>1.) Phase 1 is not started when traffic is sent between the protected
>    networks. The admin of the VPN client has to use "racoonctl vc 5.6.7.8"
>    to start the phase 1 negotiation.
>
>2.) After phase 1 is completed he's got a similar problem: the client
>    doesn't start phase 2 negotiation. I have to create a policy on the
>    VPN server (which is supposed to use racoon's policy generation feature)
>    to get phase 2 started. Phase 2 completed succesfully afterwards and
>    we can exchange traffic.
>
>Any ideas what is going wrong?
>
>	Kind regards
>
>  
>