I've just been looking at setting up ipsec with multiple endpoints (zyxel 661h, fwiw: the basic connectivity is ok, though I am growing to loathe their web gui and lack of plaintext config).
It would be convenient not to wire the remote peers down to static IP addresses, but if I do something like this... # @0 ike passive esp from 10.1.10.0/24 to 10.1.44.100/24 \ quick auth hmac-sha1 enc aes group grp2 \ srcid me.mylan.net dstid net.100 psk 22222 # @1 ike passive esp from 10.1.10.0/24 to 10.1.44.101/24 \ quick auth hmac-sha1 enc aes group grp2 \ srcid me.mylan.net dstid net.101 psk 33333 the following peer config sections (and others) are generated: @0 C set [Phase 1]:Default=peer-default force C set [peer-default]:Phase=1 force C set [peer-default]:Authentication=22222 force C set [peer-default]:Configuration=mm-default force C set [peer-default]:ID=me.mylan.net-ID force C set [peer-default]:Remote-ID=default-ID force C set [default-ID]:ID-type=FQDN force C set [default-ID]:Name=net.100 force @1 C set [Phase 1]:Default=peer-default force C set [peer-default]:Phase=1 force C set [peer-default]:Authentication=33333 force C set [peer-default]:Configuration=mm-default force C set [peer-default]:ID=me.mylan.net-ID force C set [peer-default]:Remote-ID=default-ID force C set [default-ID]:ID-type=FQDN force C set [default-ID]:Name=net.101 force obviously having the same names, the first is overwritten by the second. Would I be totally going down the wrong route if I were to change the hardcoded -default and default- section names in ipsecctl/ike.c to something based on dstid?