Here is an old message I saved for my own future reference...
Author: Todd Pearsall (tpearsall_AT_softhome.net)
Date: 06-07-02 12:18
Yes, with FreeS/WAN you can have one side static and the other dynamic, it just means the dynamic side must ititiate the connection and the static is set to wait for a connection from any IP. It can be done with a shared key but is best accomplished with RSA signatures. In FreeS/WAN terms that looks like:
#Static Side Connection File ipsec.conf
conn DynSide-StaticSide
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=%any
leftsubnet=192.168.3.0/24
leftid=@DynSide
leftrsasigkey=0x0103df3d...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=55.55.55.55
rightsubnet=172.30.85.0/24
rightnexthop=55.55.55.51
rightid=@StaticSide
rightrsasigkey=0x0103779...
rightfirewall=yes
# Authorize this connection, but don't actually start it, at startup.
#
auto=add
#Dynamic Side Connection File ipsec.conf
conn DynSide-StaticSide
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=%defaultroute
leftsubnet=192.168.3.0/24
leftid=@DynSide
leftrsasigkey=0x0103d...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=55.55.55.55
rightsubnet=172.30.85.0/24
rightnexthop=55.55.55.51
rightid=@StaticSide
rightrsasigkey=0x0103779...
rightfirewall=yes
# Authorize this connection and start it at startup.
auto=start
Check the FreeS/WAN docs for any parameter definitions you need.
- Todd