[Openswan Users] Managing site to site VPNs where either end may have enforced NAT applied to it

Paul Wouters paul at xelerance.com
Wed Jun 17 09:52:58 EDT 2009


On Wed, 17 Jun 2009, Anthony wrote:

> So, I set up SysA.example.com and SysB.example.com as dynamic DNS
> entries then set these hostnames as the addresses specified in the
> openswan config...
>
> In the event that:
> * System A's main link fails, and it is assigned internal IP X by its
> network provider, appearing as IP Y to the outside world
> * System A attempts to connect to System B
> ... what kind of checks will System B perform, if any, against System
> A's hostname (SysA.example.com), System A's interface IP X and System
> A's apparent IP Y?

The hostname or IP is only used to contact the other side. Authentication
then happens to ensure that ip or hostname is the ipsec gateway we're
looking for.

> My thoughts are that if both ends know one another's endpoint IDs and
> shared secret or certificate(s), checking whether or not the hostname
> and/or IPs match isn't as important.. would I have to instruct
> openswan along these lines?

Just configure openswan for raw RSA keys using textual leftid= and rightid=
settings with leftrsasigkey= and rightrsasigkey= should be enough.

> If some of these checks can't be disabled, what is openswan expecting?
> SysA == IP X... SysA == IP Y.. IP X == IP Y unless nat traversal explicitly set?

Those checks are not done, as there is no security in that.

> When a link goes down, my understanding is that IPsec won't know about
> it until it attempts to rekey, but that I could set a uniqueids option
> and provided that the host that changed links immediately went to
> re-establish the link, upon connecting it with the as yet unknowing
> peer, it would remove the stale session in the process?

Correct.

Paul


More information about the Users mailing list