[Openswan Users] DPD with domain name

Paul Wouters paul at xelerance.com
Wed Apr 26 20:18:40 CEST 2006


On Wed, 26 Apr 2006, wei minghu wrote:

> I found the dpd don't work when setting the remote end with domain name
> which may change after some time. When the dpd timeout, it only connects
> to the old IP, but the IP of remote peer has been changed.
>
> I have searched the code of openswan, I found the remote address stored in
> 'struct connect' is 'struct ip_addr'. So, when the IP address of remote peer
> changed, openswan cann't get it from DNS. The solution is restart the
> connection using 'ipsec auto --replce conn_name' and 'ipsec auto
> --rereadsecrets conn_name'.
>
> I want to know if there is some better solution for this?

No, but doing a new DNS lookup when DPD hits a timeout is a planned feature.
Other people have done hacks to solve this, but they were implemented very
badly, eg using a new loop, and have not been adopted by openswan.

Paul


More information about the Users mailing list