Re: Isakmpd and dynamic IPs configuration?

[Hakan Olsson <ho@rfc.se>]

On Tue, 2 Sep 2003, Thierry TM. Michalowski wrote:
...
> When Box A,B,C have a static IP address I managed to create the VPN
> tunnels.
> However, that required me to create my peers and connections in
> isakmpd.conf by assigning an explicit IP address for each of them.
>
> Now, what I would like to do is that Box A and Box B have a
> dynamically-assigned IP address.
> How should I do this with isakmpd?
> (I'm using OpenBSD 3.2).

(Due to linewrap I'm not quite sure how your net looks, but...)

For each tunnel (using "static configs" (*)), one side atleast needs a
static IP. (We may consider doing DNS-lookups eventually, but currently a
static IP is required.)

The side with the fixed IP defines it's phase 1 section like this:

  [Phase 1]
  Default=	some-peer

(and the '[some-peer]' section lacks an 'Address=' tag)

In case your 'C' peer has a fixed IP, and A and B only connect to it (and
not each other directly), this should work fine. Also, using certificate
authentication makes this work nicer.

Note that the side using "Default" can not initiate negotiations with the
other peer(s), as it does not have the IP to connect to them with. It can
only respond to negotiation requests. Because of this, you really do not
need any phase 2 related configiration in this peer's isakmpd.conf. (You
probably want to do some checking with isakmpd.policy though, as usual. :)

/H

(*) It is possible to generate isakmpd.conf's "dynamically" (possibly
scripted) to change IPs in the configuration files as required. I haven't
really experimented with this myself, so I have no examples. Calling
something from the end of dhclient-script(8) seems like a good place to
start...