In our examples so far, we have assumed that the IP addresses of the IPsec endpoints are known and do not change. This is not always the case, though often the VPN server at the office will be static, and only the connecting clients will use various unknown IP addresses.
First, you could use a fully qualified domain name (FQDN) instead of an IP address. This way, if one endpoint changes IP address, as long as the DNS is changed, changes on all the connecting peers will not be necessary. Even though DNS is not secure, and anyone can spoof DNS answers, it will suffice for our use here, because all our peers have already exchanged their public RSA key or PSK. Even if some attacker spoofs the DNS, no information could leak, because the IPsec tunnel to the rogue endpoint would never get established. It is missing vital credentials—either the private RSA key or the PSK. So we can safely use:
left=west.testbed.xelerance.net right=east.testbed.xelerance.net
Openswan would...