[Openswan Users] Roaming user to Central site VPN or dynamic IP address to static IP address VPN..

Alejandro Correa linuxservers at gmail.com
Sat Nov 17 12:23:07 EST 2007 

Hi list,

only to let you know that with your help I  have now a NetToNet VPN
with a Roaming User(dynamic IP) to Central Site (Static IP) working
for about 4 days.
I try with both proposed solution and the one that works for me was
setting right=%any and dpdaction=hold on the server side. I dont know
if there is a security implication on this??

Now I am going to try  with certs authetication, I already have begun
to read the information about it

Paul, Peter. ->  Thank you very much


Alejandro.

On Nov 13, 2007 10:55 AM, Peter McGill <petermcgill at goco.net> wrote:
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of Paul Wouters
> > Sent: November 13, 2007 12:40 AM
> > To: Alejandro Correa
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] Roaming user to Central site
> > VPN or dynamic IP address to static IP address VPN..
> >
> > On Mon, 12 Nov 2007, Alejandro Correa wrote:
> >
> > > Hello everybody,
> > > Is my first post here, and these are my first attempts with
> > OpenSwan.
> > > The VPN is between two Linksys boxes running OpenWRT 0.9
> > with OpenSwan
> > > version 2.4.6-1.
> > > The VPN type is Net To Net. One box is a pppoe dynamic IP address
> > > (RoamingUser), and the other with a static IP address
> > (CentralSite) .
> > > The tunnel is working fine, except when the IP address of the
> > > RoamingUser side change, when this happens, it cannot establish the
> > > tunnel again, If I restart the IPSEC service in the Central Site the
> > > VPN came up again and it works fine until the next IP
> > addres change in
> > > the Roaming User side..Is the only way that I find to restablish the
> > > tunnel again.
> > > For the dynamic IP address I create a dyndns account.
> > > I have tried diferent parameters but I cannot fix this problem
> >
> > You will need to restart the tunnel on the clients in your "my ip
> > just changed" script. This can be /etc/ppp/ip-up.d/restart_ipsec
> >
> > where in restart_ipsec, you do something like:
> >
> > #!/bin/sh
> >
> > ipsec auto --replace tocentralsite
> > ipsec auto --up tocentralsite
> >
> > --replace is needed if your IP has changed, it reloads the connection.
> >
> > You want to enable DPD on both ends using dpdaction=, dpdtimeout= and
> > dpddelay=. On the server end you want dpdaction=clear, on the client
> > dpdaction=restart
> >
> > Your central server should also have rekey=no (it cannot
> > rekey to dynamic ips)
>
> I believe you'll also need to set right=%any on the server side, because
> Openswan only reads the ip from the dns at startup, and doesn't check again so
> It will not see the changed IP address.
>
> Peter
>
>

More information about the Users mailing list