Originally Posted by internetSurfer
What happens if the DNS for the FQDN is spoofed?
If the FQDN is spoofed, and they managed to get a copy of the certificate that lets them masquerade as that end-point... then I guess I've been compromised.
I'm on dynamic IP, so I can't rely on an IP either. The only real way to provide security against spoofing, and maybe handle the whole IP/DNS issue, is to have each end-point run a script, triggered by a WAN IP change, that SSH's into the other end-point and calls a script with the new IP, which in turn stops the VPN, updates the IP in the config file, and then restarts the VPN. Sounds like a lot of logic for something if there may already be a solution out there.