Methods and devices are provided for establishing a VPN tunnel for a user whose IP address is not known in advance (a "road warrior"). The road warrior first initiates a secure authentication session with a security gateway. In some such implementations, the road warrior provides a username/password pair that the security gateway compares to a database of usernames that have been authorized to initiate a VPN tunnel. After authenticating the road warrior, the security gateway then determines the IP address of the road warrior, then makes a correlation between the IP address, user, and a shared secret allocated to the road warrior. If the road warrior uses the proper shared secret in connection with a request to establish a VPN tunnel, the security gateway will establish the VPN tunnel.