Subject: Re: Using IKE with one fixed end and one dynamic end
To: None <>
From: Darren Reed <>
List: tech-net
Date: 10/31/2001 02:27:19
In some email I received from Thor Lancelot Simon, sie wrote:
> On Tue, Oct 30, 2001 at 10:46:59AM +1100, Darren Reed wrote:
> > 
> > Hi,
> >    Does anyone have any suggestions on how to configure IKE (racoon) for
> > access to a LAN from cable internet (DHCP) ?  Can you assume you know
> > nothing about the remote IP address ?  Particularly, what should
> > the SPDs look like.
> I think to get this right you need your IKE daemon to build and install
> appropriate SPDs.  I see it as being the principal flaw of racoon that it
> cannot do that; it makes it fundamentally unsuitable for what is increasingly
> the most common case of IPsec deployment by new users ("road warrior" client
> to corporate firewall/gateway).


If there's a sample config that should be distributed with racoon, it is


which "just works".  Having configuration file aliases for default-route
interface (or interface IP#) would be very useful here.