On 6/23/07, Eugen Leitl <[EMAIL PROTECTED]> wrote:

> The general idea is that if you use keys in DNS to authenticate gateways

Aye, that's the rub. Most hosts are in dynamic address space,
and anything involving DNS will not fly.

It is certainly a problem, but you can get around it partially even if your IP
address is dynamically assigned:

http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html#opp.client

You do need to use a dynamic DNS server to handle your keys, but there
are lots of those, and many do provide that service.

Also, this is limited to "initiate-only" IPsec; it does not handle incoming
connections. However, that may be enough for many client machines that live
in dynamic address space.

--
Sandy Harris
Quanzhou, Fujian, China

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to