[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ipsec 1 static and 1 dyn ip
 Date:  Sun, 12 Sep 2004 15:03:08 -0700 (PDT)
On Fri, 3 Sep 2004, spiv007 wrote:

> how can i don a ipsec with this type of setup.  I have two m0n0 one
> with a static ip and the other dyn ip.  Which option can I use to get
> ipsec working?

You need to use something fixed (hence something other than the IP
address) as the "identifier" of the dynamic end, which in turn means you
have to use "aggressive mode" for Phase 1.  Be sure to pick a key with
good entropy, since aggressive mode exposes the hashed version of the key
and is thus vulnerable to dictionary attacks on anything that looks like a

					Fred Wright