> Did I understand right that you use the IDs with %any IPs for your gateway > to gateway connections? I currently have 2 users with home LANs that are on > dynamic IPs. Since the IPs change rarely I treat them as static, but when > they change I need update the ipsec.conf file.
Yes...this is possible, and how I have configured the couple of systems in our VPN mesh that have dynamic connections. > Currently one of my configs looks like this(left is remote dynamic treated > as static, right is local static): <snip> > Are you saying I could do something like this (left is remote dynamic, right > is local static): <snip> Yes. Some details of one of my configs (just the connection specifications)...works with my IPSec V1.91 package & kernels. Dynamic system: <ipsec.conf> conn %default type=tunnel auto=start [EMAIL PROTECTED] left=%defaultroute leftsubnet=10.31.32.0/24 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103b... keylife=8h keyingtries=0 include ipsec/SanAntonio.conf <SanAntonio.conf> conn SanAntonio [EMAIL PROTECTED] right=207.235.86.252 rightnexthop=207.235.86.1 rightsubnet=10.28.0.0/19 rightrsasigkey=0x0103c... Static system: <ipsec.conf> conn %default type=tunnel auto=start [EMAIL PROTECTED] left=207.235.86.252 leftnexthop=207.235.86.254 leftsubnet=10.28.0.0/19 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103c... keylife=8h keyingtries=1 include ipsec/Aptos.conf <Aptos.conf> conn Aptos [EMAIL PROTECTED] right=%any rightsubnet=10.31.32.0/24 rightrsasigkey=0x0103b... Remote dynamic connections are identified initially by their ID, then authenticated using their RSA key. AFAIK, the same can be done with pre-shared secrets, but I'm not sure... NOTE: Reading over this, I should probably have auto=load instead of auto=start on the static side...it's impossible to start a connection from the static side, since the peer IP is unknown. > That would be a great solution to my dynamic gateways. Also, do you have > any experience with Windoze VPN clients? I did some testing with several > and SSH Sentinel seemed to be the easiest, but an Open Source and/or free > solution would be better. Sorry, I haven't used any windows VPN clients. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user