On Fri, Dec 31, 2010 at 04:19:53PM -0600, Matt Evans wrote: > A friend and I are both on dynamic IP residential broadband > connections. We both use OpenBSD boxes as edge devices. > > We were wondering if it were possible to create an ipsec tunnel between > us, even though we both have dynamic public IPs. > > The documentation I've read seems to suggest that at least _somebody_ > must have a static IP. > > I can understand that at some point, needing the public IPs is necessary > for setting up the tunnel, but is it possible that dyndns or some other > dynamic mechansim can be used to find the public IPs as needed? Isn't > it the case that IPsec can mutually authenticate peers based on keys, > and fixed public IPs aren't required as part of peer authentication?
Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. Joachim -- PotD: textproc/groff - gnu clone of nroff http://www.joachimschipper.nl/