[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Rolando J. Zappacosta zappacor at yahoo.com.ar
Thu Sep 11 02:55:45 EDT 2008 

>> Thanks! I put a note of this in docs/lucent-client.txt, and it will end 
>> up
>> in the new wiki once we have it online.
This is going to be really appreciated by all the users like me that 
couldn't find updated info on how to configure things, if any.


>> Openswan does support DNS/WINS via XAUTH/ModeConfig. Though as a client,
>> we
>> might be ignoring it, since we have no structured way of modifying
>> resolv.conf
>> in any modern way (eg dbus/networkmanager). I believe we might only pass
>> it
>> as env variables to the updown script.
At least, this is better than nothing.

>> You can copy the stock _updown script and add resolv.conf rewriting to 
>> it,
>> and configure the new script using leftupdown=
I did it, thanks for the info. I added this line in the "conn Intranet" part 
of ipsec.conf
    leftupdown=/etc/ipsec/ipsec.updown
and, for others reference, this is the /etc/ipsec/ipsec.updown script I 
wrote:
#! /bin/bash

# Installing a new version of Openswan will install a new

# copy of /usr/lib/_updown wiping out any custom changes on it.

# So, we make a copy of it here that lets us update the DNS servers

# on tunnel up and down accordingly.

# We start calling the standard _updown handler:

/usr/lib/ipsec/_updown

# and now we update /etc/resolv.conf:

# First, we define the name of the connection we want to have the

# DNS servers updated and the IP address of each one of them:

CONNECTION_1="Intranet"

CONNECTION_1_DNS_SERVER_1="MyDNS1IPaddrr"

CONNECTION_1_DNS_SERVER_2="MyDNS2IPaddrr"

# We do it this way in order to make easier (just copy and paste)

# the addition of the config for the DNS servers of future

# connections.

case "$PLUTO_VERB:$PLUTO_CONNECTION" in

up-client:$CONNECTION_1)

# Our connection is coming up so we backup the content

# of /etc/resolv.conf, we create a new one pointing to the

# DNS within the remote network appending the info

# from the original one at the end of it (just in case)

if ! grep $DNS_SERVER1 /etc/resolv.conf ; then

cp /etc/resolv.conf /etc/resolv.conf.pluto.$PLUTO_CONNECTION

echo "# Generated by `basename $0` for IPSec connection $PLUTO_CONNECTION" > 
/etc/resolv.conf

echo "nameserver $CONNECTION_1_DNS_SERVER_1" >> /etc/resolv.conf

echo "nameserver $CONNECTION_1_DNS_SERVER_2" >> /etc/resolv.conf

echo >> /etc/resolv.conf

cat /etc/resolv.conf.pluto.$PLUTO_CONNECTION >> /etc/resolv.conf

logger -it `basename $0` DNS servers for the IPSec connection 
$PLUTO_CONNECTION added.

fi

;;

down-client:$CONNECTION_1)

# Our connection is going down so we restore the original

# /etc/resolv.conf file:

mv /etc/resolv.conf.pluto.$PLUTO_CONNECTION /etc/resolv.conf 2>/dev/null && 
\

logger -it `basename $0` DNS servers for the IPSec connection 
$PLUTO_CONNECTION removed.

;;

*)

;;

esac

# Things that this script uses:

# PLUTO_VERB: specifies the name of the operation to be performed

# PLUTO_CONNECTION: is the name of the connection

More information about the Users mailing list