The current situation: I have some machines with static IP addresses, and some other ones with dynamic IP addresses, permanently connected or not. What I would like: establish IPsec tunnels between a machine with a static IP and a machine with a dynamic one. The former solution I used: pipsecd, written by Pierre Beyssac, allows you to configure IPsec tunnels without having an IPsec stack in your kernel. These tunnels can have dynamic addresses: when an IPsec packet enters the machine with a static IP and has the right signature, this changes the tunnel dynamic end to be the machine that sent the packet. That means that sending a single packet from a new IP address was enough to reconfigure the whole tunnel. Is that doable with the current IPsec kernel implementation? Can we dynamically change security policies so that a new tunnel is created when some a packet with the right SPI is received? How can one intercept IPsec packet, since they are not tagged IPsec anymore when they arrive in userland? Sam -- Samuel Tardieu -- [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
