>> Why do you think IPSec needs one fixed-IP endpoint? Certainly, things
>> won't work if both of you change IP addresses before the DNS updates,
>> but you seem to accept that. You can also get a fixed IP for free by
>> contacting one of the IPv6 tunnel brokers. Yes, this will be
>> IPv6-over-IPv4, which has its issues.
>I've never seen an example where hostnames are used in place of static
>IP addresses in configuration files. Is it the case that anywhere I see
>an ip address (filenames, conf file values, etc), I could just as easily
>put in foo.dyndns.org?
I don't consider myself expert at this, but, yes, I think that is the case.
At least for me, it has worked well. I have an ipsec tunnel set up between
two residential cable internet connections. Both are DHCP, so there is no
static endpoint.
I use dDNS to keep the endpoint IP's up to date (I do own my own domain, but
I suppose you don't have to).
The tunnel goes down for a few minutes from time to time (I think mostly
because of problems with my internet connections, not so much DNS name
resolution issues), but it has not been an issue for me.
As an example, my ipsec.conf looks something like: (this is openbsd 4.6 -
yes, I know I should update, I'm working on it)
One end:
ike passive esp from 10.0.0.1 to ipsec2.mydomain.com srcid
my.local.crt.com dstid my.remote.crt.com
etc...
The other end:
ike dynamic esp from 192.168.1.1 to ipsec1.mydomain.com
srcid my.remote.crt.com dstid my.local.crt.com
etc...
As I said, I'm no expert on this, but I was able to figure this out from the
man pages.
Bye - ted
