On Fri, Dec 31, 2010 at 04:19:53PM -0600, Matt Evans wrote:
> A friend and I are both on dynamic IP residential broadband
> connections. We both use OpenBSD boxes as edge devices.
>
> We were wondering if it were possible to create an ipsec tunnel between
> us, even though we both have dynamic public IPs.
>
> The documentation I've read seems to suggest that at least _somebody_
> must have a static IP.
>
> I can understand that at some point, needing the public IPs is necessary
> for setting up the tunnel, but is it possible that dyndns or some other
> dynamic mechansim can be used to find the public IPs as needed? Isn't
> it the case that IPsec can mutually authenticate peers based on keys,
> and fixed public IPs aren't required as part of peer authentication?
Why do you think IPSec needs one fixed-IP endpoint? Certainly, things
won't work if both of you change IP addresses before the DNS updates,
but you seem to accept that.
You can also get a fixed IP for free by contacting one of the IPv6
tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues.
Joachim
--
PotD: textproc/groff - gnu clone of nroff
http://www.joachimschipper.nl/
