[Openswan Users] Managing site to site VPNs where either end may have enforced NAT applied to it
paul at xelerance.com
Wed Jun 17 09:52:58 EDT 2009
On Wed, 17 Jun 2009, Anthony wrote:
> So, I set up SysA.example.com and SysB.example.com as dynamic DNS
> entries then set these hostnames as the addresses specified in the
> openswan config...
> In the event that:
> * System A's main link fails, and it is assigned internal IP X by its
> network provider, appearing as IP Y to the outside world
> * System A attempts to connect to System B
> ... what kind of checks will System B perform, if any, against System
> A's hostname (SysA.example.com), System A's interface IP X and System
> A's apparent IP Y?
The hostname or IP is only used to contact the other side. Authentication
then happens to ensure that ip or hostname is the ipsec gateway we're
> My thoughts are that if both ends know one another's endpoint IDs and
> shared secret or certificate(s), checking whether or not the hostname
> and/or IPs match isn't as important.. would I have to instruct
> openswan along these lines?
Just configure openswan for raw RSA keys using textual leftid= and rightid=
settings with leftrsasigkey= and rightrsasigkey= should be enough.
> If some of these checks can't be disabled, what is openswan expecting?
> SysA == IP X... SysA == IP Y.. IP X == IP Y unless nat traversal explicitly set?
Those checks are not done, as there is no security in that.
> When a link goes down, my understanding is that IPsec won't know about
> it until it attempts to rekey, but that I could set a uniqueids option
> and provided that the host that changed links immediately went to
> re-establish the link, upon connecting it with the as yet unknowing
> peer, it would remove the stale session in the process?
More information about the Users