Re: Isakmpd and dynamic IPs configuration?

[jared r r spiegel <jrrs@ice-nine.org>]

On Wed, Sep 03, 2003 at 07:26:34AM -0700, Anthony Schlemmer wrote:
> 
> Certainly it would be a nice enhancement if "isakmpd" supported FQDNs 
> since there are many users that only have DHCP assigned routable 
> addresses.
> 
> Tony

  we've had UFQDN (phaseI) going here for some several months ( 8 ish or so? ), 
  so are you sure it doesn't have plain FQDN support?

  to answer

> On Tuesday 02 September 2003 09:31 am, Thierry TM. Michalowski wrote:

> > Now, what I would like to do is that Box A and Box B have a
> > dynamically-assigned IP address.
> > How should I do this with isakmpd?
> > (I'm using OpenBSD 3.2).

  if both of them have dynamic IP, the question becomes how do they
  reach one another?  that's where tony is talking about DNS, it seems.
  
  it's a pretty ugly setup, but it is as reliable as the reliability
  of the cumulative link between A-B and B-C, but i did setup an isakmpd
  channel between two hosts without respect to what *their* IPs were.

  both hosts made an active connection to a VPN peer with a static IP.
  then they made another connection to that VPN peer over the newly formed
  encrypted channel; at that point ( memory is foggy here ) another
  connection was made to the VPN peer, but the VPN peer would use the
  other remote peer's VPN IP as the 'local' part, thus creating a packet
  forwarding effect.  the end result was that dynahost A could ping dynahost B
  *via* statichostA, with absolutely no knowledge of dynahost B's "WAN" or
  routable IP.  obviously the RTT was the sum of all parts, and there's
  likely more chance of failure between A->B->C than just A->C...  this
  last A->B->C channel was all over a common /24, btw, whereas the initial and
  normal VPN networks use individual /16s.

  jared

-- 

[ openbsd 3.4-beta GENERIC ( aug 24 ) // i386 ]