Mobile networking

In these days of VPN, IPsec, dynamic routing, tunnels, IPv6, and autoconfiguration protocols, one would expect that it would be possible to configure a laptop to find all kinds of hosts automatically, both for those that are network-specific (proxy servers, NNTP-servers), and for those that are not (mail servers, version control systems, ...). And yet, every time I log in, no matter where, I manually set up two SSH connections tunnels. One to allow for a connection to the NNTP server (different ISPs require different NNTP servers, and I don't want to reconfigure leafnode every time), one to connect to my mail server. Yes, I'm using SSH keys and ssh-agent. Yes, I'm using ~/.ssh/config. But I still have to start the connection every time, which is a nuisance. And because it's more of a problem on a laptop than it's worth, I don't even bother with proxy servers anymore.

This could use some improvement. What I want is simple: I want tunnels and the like to be set up automatically when I connect my laptop to a network. If the network is 'known' (at home or at the office), then connections to local systems should not be tunneled, compressed, or encrypted, so that stuff isn't slowed down unnecessarily. However, connections to remote hosts should always be secure; whether it is an SSH tunnel or an IPsec layer that is being used somewhere shouldn't really matter. For bonus points, it'd be nice if any traffic would be compressed as well if the connection isn't fast; I sometimes connect to the 'net through my cell phone, which is slow. Speeding that up would be wonderful.

I would prefer not to have to enter a password when the network connection is set up; but if that isn't possible if I want things to be secure, so be it. It should not be possible to circumvent my security. Paranoia is good. I'll also want the ability to easily disable everything without having to remove too many keys from too many different places, should my laptop be stolen again some day. And, last but not least, it should not require me to either have a non-local IP address or to do weird stuff with the firewall, because that will simply break when I connect to a LAN where I'm not the administrator.

I think all of the above should be possible by using some IPsec (without AH) and DNAT rules on the laptop itself, carefully semi-automatically generated from a script ran from /etc/ppp/ip-up.d or some DHCP client's equivalent thereof. Not sure though; will need some experimenting.