[Openswan Users] Roaming user to Central site VPN or dynamic IP address to static IP address VPN..

Peter McGill petermcgill at goco.net
Tue Nov 13 08:55:29 EST 2007

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Paul Wouters
> Sent: November 13, 2007 12:40 AM
> To: Alejandro Correa
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Roaming user to Central site 
> VPN or dynamic IP address to static IP address VPN..
> On Mon, 12 Nov 2007, Alejandro Correa wrote:
> > Hello everybody,
> > Is my first post here, and these are my first attempts with 
> OpenSwan.
> > The VPN is between two Linksys boxes running OpenWRT 0.9 
> with OpenSwan
> > version 2.4.6-1.
> > The VPN type is Net To Net. One box is a pppoe dynamic IP address
> > (RoamingUser), and the other with a static IP address 
> (CentralSite) .
> > The tunnel is working fine, except when the IP address of the
> > RoamingUser side change, when this happens, it cannot establish the
> > tunnel again, If I restart the IPSEC service in the Central Site the
> > VPN came up again and it works fine until the next IP 
> addres change in
> > the Roaming User side..Is the only way that I find to restablish the
> > tunnel again.
> > For the dynamic IP address I create a dyndns account.
> > I have tried diferent parameters but I cannot fix this problem
> You will need to restart the tunnel on the clients in your "my ip
> just changed" script. This can be /etc/ppp/ip-up.d/restart_ipsec
> where in restart_ipsec, you do something like:
> #!/bin/sh
> ipsec auto --replace tocentralsite
> ipsec auto --up tocentralsite
> --replace is needed if your IP has changed, it reloads the connection.
> You want to enable DPD on both ends using dpdaction=, dpdtimeout= and
> dpddelay=. On the server end you want dpdaction=clear, on the client
> dpdaction=restart
> Your central server should also have rekey=no (it cannot 
> rekey to dynamic ips)

I believe you'll also need to set right=%any on the server side, because
Openswan only reads the ip from the dns at startup, and doesn't check again so
It will not see the changed IP address.


More information about the Users mailing list