[Openswan Users] RE: DPD Site behind NAT

[Shi Lang]

Thanks Paul,

That really works, thanks. Please confirm my case is correct or not below
###############################
ServerA(privateIP)---NATFirewall...ServerB(publicIP)

ServerA has the function to update the DNS to dyndns.com when NATFirewall
public IP is changed to a new Public IP.

ServerB ipsec.conf "right=ServerA domain name".

Now I change NATfirewall public IP mapping to the ServerA, after dyndns.com
has updated, ServerB see ServerA domain name will also change.
################################
So for case, ServerB dpdaction=clear, in order to remove the ServerA domain
name old IP address (ipsec auto --status can see right is IP resolved from
ServerA domain name)(remove the whole connection name from the ipsec auto
--status).
But my doubt is ServerB dpdaction=clear, then ServerA can not re-establish
with ServerB already.
I think ServerB dpdaction should = restart, because once dpd restart we can
"ipsec auto --status' can see the new ServerA domain IP, and try to
re-establish with Server A", So for Server A at this case no matter to set
hold or clear or restart.


Please guide me if I am wrong again :)
Thanks
Regards,
Shi Lang

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, August 10, 2006 10:56 AM
To: Shi Lang
Cc: users at openswan.org
Subject: RE: DPD

On Thu, 10 Aug 2006, Shi Lang wrote:

> Thanks very much for the explanation.
>
> If Site-to-site VPN, one site is behind NAT and if NAT changes the public
IP
> for that site mapping, or this site is located in the PPPoE dial-up case.
> The dpdaction should be which one?

That is a roadwarrior scenario. So dpdaction=clear on the site with the
public
ip, and dpdaction=restart on the server behind nat.

Paul