>> Why do you think IPSec needs one fixed-IP endpoint? Certainly, things >> won't work if both of you change IP addresses before the DNS updates, >> but you seem to accept that. You can also get a fixed IP for free by >> contacting one of the IPv6 tunnel brokers. Yes, this will be >> IPv6-over-IPv4, which has its issues.
>I've never seen an example where hostnames are used in place of static >IP addresses in configuration files. Is it the case that anywhere I see >an ip address (filenames, conf file values, etc), I could just as easily >put in foo.dyndns.org? I don't consider myself expert at this, but, yes, I think that is the case. At least for me, it has worked well. I have an ipsec tunnel set up between two residential cable internet connections. Both are DHCP, so there is no static endpoint. I use dDNS to keep the endpoint IP's up to date (I do own my own domain, but I suppose you don't have to). The tunnel goes down for a few minutes from time to time (I think mostly because of problems with my internet connections, not so much DNS name resolution issues), but it has not been an issue for me. As an example, my ipsec.conf looks something like: (this is openbsd 4.6 - yes, I know I should update, I'm working on it) One end: ike passive esp from 10.0.0.1 to ipsec2.mydomain.com srcid my.local.crt.com dstid my.remote.crt.com etc... The other end: ike dynamic esp from 192.168.1.1 to ipsec1.mydomain.com srcid my.remote.crt.com dstid my.local.crt.com etc... As I said, I'm no expert on this, but I was able to figure this out from the man pages. Bye - ted