[Openswan Users] Roadwarrior conn problem: need right IP address?
Paul Wouters
paul at xelerance.com
Wed Oct 15 22:15:51 EDT 2008
On Wed, 15 Oct 2008, OCG Technical Support wrote:
> Hmmm...that could be a real problem for me. My gateway is on dynamic IP,
> but has a dynamic DNS entry available externally. So my questions are:
>
> 1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
Yes.
> 2. If so, what happens when my IP changes (and IPsec hasn't restarted)? Do
> I have to restart ipsec or will it keep accepting connections?
If you use DPD, the conn will properly fail and restart. If you compile
with USE_DYNAMICDNS=true set in Makefile.inc, then openswan will do a
new DNS lookup to determine the new IP. If your own IP changes, you need
to do a restart of openswan. Perhaps you can get away with just running
"ipsec whack --listen" but I am not entirely sure if that works with
dynamic dns.
> 3. Why can't IPsec accept %defaultroute instead of my FQDN on the external
> interface? The result should be the same.
Pluto needs to find out if it is left or right. If one end is
"defaultroute" and the other is "any", which side is it?
> I also run poptop and that works fine with changing IP...
That's not IPsec. Please feel free to migrate to it :)
Paul
More information about the Users
mailing list