[Openswan Users] Roadwarrior conn problem: need right IP address?

OCG Technical Support support at ocg.ca
Wed Oct 15 23:20:52 EDT 2008


I thought %defaultroute would be unique at the time IPsec starts (so a
unique address) but perhaps Openswan only calculates this at the time a
connection is established (which might change the default route?).  

I tried using my external FQDN (firewall.xxx.ca - which resolves properly)
in the conn definition (see below)...but I still get:
Oct 15 23:13:01 firewall ipsec__plutorun: 022 connection must specify host
IP address for our side

Any idea why this isn't accepted?  Thanks

conn vpn
        rekey=no
        left=firewall.xxx.ca
        leftcert=firewall-cert.pem
        #leftrsasigkey=%cert 
        right=%any
        rightid="C=CA, ST=MyProv, L=MyCity, O=MyCo, OU=VPN, CN=ABC"
        rightrsasigkey=%cert
        auto=add

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: October 15, 2008 10:16 PM
To: Michelle Dupuis
Cc: users at openswan.org
Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
address?
Importance: High

On Wed, 15 Oct 2008, OCG Technical Support wrote:

> Hmmm...that could be a real problem for me.  My gateway is on dynamic IP,
> but has a dynamic DNS entry available externally.  So my questions are:
>
> 1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?

Yes.

> 2. If so, what happens when my IP changes (and IPsec hasn't restarted)?
Do
> I have to restart ipsec or will it keep accepting connections?

If you use DPD, the conn will properly fail and restart. If you compile
with USE_DYNAMICDNS=true set in Makefile.inc, then openswan will do a
new DNS lookup to determine the new IP. If your own IP changes, you need
to do a restart of openswan. Perhaps you can get away with just running
"ipsec whack --listen" but I am not entirely sure if that works with
dynamic dns.

> 3. Why can't IPsec accept %defaultroute instead of my FQDN on the external
> interface?  The result should be the same.

Pluto needs to find out if it is left or right. If one end is
"defaultroute" and the other is "any", which side is it?

> I also run poptop and that works fine with changing IP...

That's not IPsec. Please feel free to migrate to it :)

Paul



More information about the Users mailing list