Is there a way to actually have iked accept connection from dynamically changing peers IP address using their dns name for example like this:
ikev2 esp from 66.63.5.250 to tunnel.ouellet.us ikev2 esp from 10.0.0.0/24 to 172.16.2.0/24 peer tunnel.ouellet.us Yes you can have ikev2 esp from 66.63.5.250 to any ikev2 esp from 10.0.0.0/24 to 172.16.2.0/24 peer any and when you use RSA key, you still ok, except that I do not like the fact that it is still open to wide. But that still would be fine, however when you have multiple different routers or policy I should say that are NOT suppose to go to everyone, how to address this in dynamically changing situation. examples: ikev2 esp from 10.0.0.2 to tunnel1.example.com ikev2 esp from 10.0.0.2 to tunnel2.example.com ikev2 esp from 10.0.0.2 to tunnel3.example.com ikev2 esp from 10.0.0.2 to tunnel4.example.com ... ikev2 esp from 192.168.1.0/24 to 172.16.1.0/24 peer tunnel1.example.com ikev2 esp from 192.168.2.0/24 to 172.16.2.0/24 peer tunnel2.example.com ikev2 esp from 192.168.3.0/24 to 172.16.3.0/24 peer tunnel3.example.com ikev2 esp from 192.168.4.0/24 to 172.16.4.0/24 peer tunnel4.example.com ... if the remote part of tunnelx.example.com is changing regularly. You can't really use any here as all the various block would be present to each one and you can't assume the remote side wouldn't actually allow them in.... Like in PF you can always have (em1) in your rules and it will retry to change it's IP if it does in real life. Is there a clever way to do this? In short a way to avoid reloading of the iked.conf as things changes and loose all the current sessions... I haven't come up with a decent solution yet. If all the policy were OK for everyone that would be fine, but they are not, so how to address the issue? And may be it's not possible, I could work around that somehow, but I would really love to know if that's possible to do or not so that I stop trying! Daniel
