[Openswan Users] RE: DPD Site behind NAT

Shi Lang shilang at greenpacket.com
Thu Aug 10 13:15:24 EDT 2006


Thanks Paul,

You said " With DPD, you might not be doing a DNS lookup for a change dyndns
host."

You mean openswan can not handle such case when "left""right" use the domain
name instead of IP. And domain name IP is changed to another, administrator
should manual configure ipsec.conf?

Thanks
Regards,
Shi Lang


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, August 10, 2006 12:40 PM
To: Shi Lang
Cc: users at openswan.org
Subject: RE: DPD Site behind NAT

On Thu, 10 Aug 2006, Shi Lang wrote:

> Now I change NATfirewall public IP mapping to the ServerA, after
dyndns.com
> has updated, ServerB see ServerA domain name will also change.
> ################################
> So for case, ServerB dpdaction=clear, in order to remove the ServerA
domain
> name old IP address (ipsec auto --status can see right is IP resolved from
> ServerA domain name)(remove the whole connection name from the ipsec auto
> --status).
> But my doubt is ServerB dpdaction=clear, then ServerA can not re-establish
> with ServerB already.
> I think ServerB dpdaction should = restart, because once dpd restart we
can
> "ipsec auto --status' can see the new ServerA domain IP, and try to
> re-establish with Server A", So for Server A at this case no matter to set
> hold or clear or restart.
>
>
> Please guide me if I am wrong again :)

I am not entirely sure how DPD is actually running things, and if they are
litterary the equivalent of the commands ipsec auto ....

With DPD, you might not be doing a DNS lookup for a change dyndns host.

Paul



More information about the Users mailing list