Subject: Re: ipsec tunnels with one end fixed, other dynamic
To: Bill Studenmund <wrstuden@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 01/15/2002 22:07:50
On Tue, Jan 15, 2002 at 03:45:48PM -0800, Bill Studenmund wrote:
> Has anyone gotten this working?
> 
> The idea is I have a laptop, and when I'm out on the road, it sets up a
> vpn to my house. I know I'd have to do something like have certificates
> set up.

No, you don't need certificates -- but all anonymous clients have to use
the same preshared key for IKE, or you can't decrypt the initial message.

Actually, strictly speaking, that's not true, but nobody seems to realize
it; you could try *every* anonymous client's preshared key, stopping when
you got a correct decrypt, but no IKE implementation of which I am aware
actually does that.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud