Re: RFC: Large dynamic CIPE VPN (2nd posting)|
Christian Lademann <cal,AT,zls,DOT,de>|
Sun, 22 Oct 2000 12:21:45 +0200|
Martijn van Oosterhout wrote:
> There is one thing that may make your job a little easier. In the server
> config, if you specify the remote peer as 0.0.0.0, it will accept any
> connection that has the right static key. So the server config file
> not need to contain the address of the client machine.
That is true. But as the cipic-server knows the ip-address of the
it can as well use that information to add a little extra security. On the
also gives the possibility to dynamically reconfigure the firewall to accept
specific udp-port only from THAT client-address
> Now, depending on what your security requirements, you may be able to
> a static mapping between port numbers and server keys, so then you would
> never need to modify the server config file at all. Or maybe just
> them all just once per day.
If configuration information is changed at all, that means it has to be
the clients. So why not exchange the complete information every time?