[Openswan Users] Re: How to change KLIPS interface mapping dynamicly without breaking running VPN connections

Chen Lintao chenlt at icevpn.org
Thu Feb 9 11:01:02 CET 2006 


On Wed, 2006-02-08 at 10:49 +0800, Chen Lintao wrote:
>> Hello World:
>>          I have two WAN connections ,  
>>          eth1  --  FIXEDIP
>>         eth2  --  PPPOE ( dynamic IP  and interfaces ppp0 , ppp1 ..) 
>> when eth2 PPPOE up , I can use certain conf below 
>> 
>> config setup
>>        interfaces="ipsec0=eth1 ipsec1=ppp0"
> 
>I guess you're using KLIPS, if you need to control ipsec<n> mappings.
>You may do better with NETKEY, it doesn't care about interfaces, just
>addresses.
>Using KLIPS I was able to do something similar by using the "ipsec
>tncfg" command (see man ipsec_tncfg(1) for details) to reattach the
>ipsec0 to ppp0 after the PPP interface got dropped and reconnected. I
>think it only works if your IP address doesn't change.
>I used the /etc/ppp/ip-up.local script hooks to do that.
Yes , I am using KLIPS . When using NETKEY , if ppp IP address changes ,
will it be restarted ? 

>If your PPP IP changes, I think you're out of luck, because pluto would
>need to be restarted in order to bind to the new interface address.
Unlucky , my ppp IP always changes when reconnected .
  
>> My Question is :
>> When eth2  reconnected , and  eth2 bounded  interface changed -->
>> ppp1  ( not ppp0 before )

>Do you know why the interface name changes? If the connection drops &
>reconnects, it should still use ppp0. You may have a problem with your
>pppoe setup, perhaps it's starting a new pppd process before the old one
>has terminated.
Yes , I know . I have two WAN connections and run PPTP server on it .
When eth2 - ppp0 dropped , and then one pptp client user dialed in on eth1,
the 
pptp user using ppp0 .  And when eth2 (PPPOE) reconnects, it will using ppp1
...

> 
>> how could I change  ipsec1 mapping without  modifying ipsec.conf again
>> and  " ipsec setup restart"
>> 
>> Because I have established VPN connections at ipsec0(eth1) and don't
>> want to break it .
> 
>Maybe it's possible to run 2 pluto processes? You can control the
>interfaces that pluto binds to with something like
>config setup
>  plutoopts="--interface eth1"
>Probably by doing that you can start a pluto that just runs on eth1,
>then have another on the PPP interface that can be stopped & started as
>required.
>I'm sure the supplied startup scripts won't do that though, you'll have
>to do some custom stuff.
>Good luck...
Maybe this is one way out . Run individual Pluto on each interface . I will
try
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-- 
Andy <fs at globalnetit.com>

More information about the Users mailing list