I wrote:
> Bill Studenmund <wrstuden@netbsd.org> writes:
>> You should look specifically at racoon and isakmpd. I prefer racoon, but
> I have; that's where I found all the references to "put your

Actually, I looked at racoon relatively recently, isakmpd earlier.
I'll look into isakmpd again and see if it's changed, or if I missed
something before...


Thor Lancelot Simon <tls@rek.tjls.com> writes:
>> pre-shared secret key here" type stuff that seems to assume a
>> different setup than the one I have to talk to.  Maybe they just don't
>> support this mode, but I am not familiar enough with IPsec yet to
> If by "this mode" you mean "obtaining certificates from DNS" I think
> you mean "FreeS/WAN's *extension* to IPsec that..."; getting certificates
> from DNS is standardized for secure DNS, but not for IPsec AFAIK.

I mean, authenticating by exchanging public keys and ID names, not
secret keys, and without certificates.  The IPsec KEY RR may be an
extension, I don't know, but the record isn't actually in DNS, it's
just put up on the relevant web page with the other info.  (The
maintainer of the remote tunnel endpoint doesn't have any control over
the live DNS data.)