Help with Home connection site to site vpn setup

[badguy]

So I am trying to setup a site to site vpn connection between two homes. I intend to get an openbsd box in both houses to do this. Both houses I do not have dedicated public IPs to use for the external IP addresses. Is there a way I can achieve my goal (set up a site – site vpn between the two homes) given the current scenario?

If I use the IP address I get when I lookup google for my public IP will this work? I am skeptical about using this since it is not static and usually dynamic given by the ISP.

Can someone recommend a better way to get the VPN up if I am not in the right
direction? Thanks guys

[jggimi]

Use fqdn or ufqdn methods to exchange isakmpd keys. Neither requires IP addresses.

[badguy]

Thanks for the reply. If I understand you correctly, In that case i have to go with a solution like NO-IP (no-ip.com) as this is just home use and I don not have an fqdn that can be resolved across the internet.

If that was not what you implied can you please elaborate? Also is there any other method you know of. Just asking so I can weight every single option and see which is best. Thanks

[jggimi]

ISAKMPD is a key management system. It does the sharing of keys for IPSec in four very different ways:

1. Shared passphrases: useful for provisioning tests, not recommended for production use
2. Host Keys: most common use between OpenBSD instances, and recommended in most of the Internet-based How-to documentation since the advent of ipsecctl.conf.
3. X.509 Certificates: useful when a peer with non-OpenBSD ISAKMPD systems
4. Keynote Authentification: used in complex trust management systems only

It is the Host Key option I was referring to, as I had assumed you had been reading the "Zero to IPSec in 4 Minutes" How-to document. It uses IPv4 Host Keys and static addressing, as do most others.

Host Keys allow for four different naming conventions. And that is all they are -- naming conventions. They make setting up SAs and Flows in ipsecctl.conf easier. They are:

1. ipv4 - the keys are named by static IP address in IPv4 format
2. ipv6 - the keys are named by static IP address in IPv6 format
3. fqdn - the keys are named by fully qualified domain name
4. ufqdn - the keys are named by user@fully qualified domain name

There is no difference between these other than file naming and storage location under /etc/isakmpd.

Yes, it is much easier if you use no-ip or dyndns or some other method of referring to dynamic IP addresses by domain name, and altering the reference when they change.