dynamic IPSEC

[Kent Hauser]

Hi Mike,

Had any progress? I've also by stymied for a clean solution. Previously, I 
used a simple SED script from executed from "/etc/ppp/ppp.linkup" to edit a 
"setkeys" script which then negotiated with the office ascend router/gw & all 
was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to 
static(FreeBSD) & that is proving problematic. Executing a SED script after 
DHCP of mobile is easy, but it seems I also need to SED the static host's SPD 
-- ie no wildcards allowed as in the ascend router situtation. Needless to 
say, allowing "unauthenticated" hosts (read anyone) to modify the SPD on a 
machine so that it can be authenticated strikes me as putting the cart before 
the horse.

When I install a "wildcard" host (0.0.0.0) on the static side, racoon only 
negotiates the mobile->static SAD...which is useless & expires. Seems to me 
that racoon needs to update kernel SPDs with wildcards to support mobile 
VPNs. At least that's all I've been able to come up with.

Have you found a silver bullet?

Cheers, Kent