[Openswan Users] Managing site to site VPNs where either end may have enforced NAT applied to it

[Anthony]

(Whewps.. sent from wrong address and it bounced)

Hi Paul,

Thanks for your response.. This is the first time I've really tried
(and needed) to understand IPsec as you may have figured out :)

> Per default, openswan can switch without problem between being initiator
> and responder. however, it requires either a static ip or a "static" dns
> name to connect to. It sounds like you wont have a static up, so you
> will need ensure your openswan is compiled with USE_DYNAMICDNS, so that
> on initiating, it will do a new lookup on the dns name, which you can
> then update (eg dyndns and friends)

So, I set up SysA.example.com and SysB.example.com as dynamic DNS
entries then set these hostnames as the addresses specified in the
openswan config...

In the event that:
* System A's main link fails, and it is assigned internal IP X by its
network provider, appearing as IP Y to the outside world
* System A attempts to connect to System B
... what kind of checks will System B perform, if any, against System
A's hostname (SysA.example.com), System A's interface IP X and System
A's apparent IP Y?

My thoughts are that if both ends know one another's endpoint IDs and
shared secret or certificate(s), checking whether or not the hostname
and/or IPs match isn't as important.. would I have to instruct
openswan along these lines?

If some of these checks can't be disabled, what is openswan expecting?
SysA == IP X... SysA == IP Y.. IP X == IP Y unless nat traversal explicitly set?



When a link goes down, my understanding is that IPsec won't know about
it until it attempts to rekey, but that I could set a uniqueids option
and provided that the host that changed links immediately went to
re-establish the link, upon connecting it with the as yet unknowing
peer, it would remove the stale session in the process?



-- 
Regards,

Anthony Hogan
System Administrator