Hi -
I've set up a gateway which acts as a ipsec tunnel endpoint for
a number of wireless machines.
The setup is similar to the "leaf-node tunnel" example in the ipsec FAQ
on www.netbsd.org.
ipsec.conf on the wireless client A looks like:

spdadd A 0.0.0.0/0 any -P out ipsec esp/tunnel/A-R/require;
spdadd 0.0.0.0/0 A any -P in ipsec esp/tunnel/R-A/require;

where R is the router and A, B, C... are the clients.

On the router R the list gets longer:

spdadd 0.0.0.0/0 A any -P out ipsec esp/tunnel/R-A/require;
spdadd A 0.0.0.0/0 any -P in ipsec esp/tunnel/A-R/require;
spdadd 0.0.0.0/0 B any -P out ipsec esp/tunnel/R-B/require;
spdadd B 0.0.0.0/0 any -P in ipsec esp/tunnel/B-R/require;
spdadd 0.0.0.0/0 C any -P out ipsec esp/tunnel/R-C/require;
spdadd C 0.0.0.0/0 any -P in ipsec esp/tunnel/C-R/require;
[...]
spdadd 0.0.0.0/0 DLNET any -P out discard;
spdadd DLNET 0.0.0.0/0 any -P in discard;

DLNET is the network where all the diskless boxes are in.

Obviously, this doesn't scale well. It would be nice
just to need two lines like:

spdadd 0.0.0.0/0 DLNET any -P out ipsec esp/tunnel/R-(=PEER)/require;

where (=PEER) would evaluate to the actual connection partner from
DLNET at runtime.

Is there already a way which I missed?
Or isn't this a good idea in general?

best regards
Matthias