But it seems to me as if racoon would just fail to lookup the ip from the hostname ? Ok, if the connection terminates due to ip change we'll have to wait a few minutes to reconnect, but would it not be possible to "teach" racoon to correctly translate the name to the ip ? It's even so that racoon cannot translate static names to static ip adresses...
-----Ursprüngliche Nachricht----- Von: Angelo Turetta [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 19. März 2006 16:15 An: [email protected] Betreff: Re: [pfSense Support] VPN with dynamic IP for both endpoints > Dynamic endpoints is not supported in beta2. We never got it fully > working. And I think never will, because it's not possible without additional software :-) As I tried to say (unacknowledged) in the previous thread about this topic, http://marc.theaimsgroup.com/?t=113277323300003&r=1&w=2 to specify a IPSEC Tunnel policy, you MUST insert the IP of both endpoints into the kernel SPD. If one of the endpoints' IP address changes, the key exchange daemon will never know that his peer now has another IP until the next rekeying, which will happen after an unpredictable timeout. And even after that, IT WILL NOT FIND A VALID SPD to establish a new association: someone has to change the policy definition inside the kernel, which racoon is not designed to do (it's setkey(8)'s work). That's why such a setup is not possible using only IPSec. The best way I know to establish an IPSEC-grade connection between two networks which only have dyn-ip gateways is L2TP (essentially PPTP over IPSEC host-to-host, no IPSEC tunnels) Angelo Turetta --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
