[Openswan Users] Managing site to site VPNs where either end may have enforced NAT applied to it

Anthony anthony.hogan at transwag.com.au
Wed Jun 17 02:14:11 EDT 2009

Hi Paul,

Thanks for your response.. This is the first time I've really tried
(and needed) to understand IPsec as you may have figured out :)

> Per default, openswan can switch without problem between being initiator
> and responder. however, it requires either a static ip or a "static" dns
> name to connect to. It sounds like you wont have a static up, so you
> will need ensure your openswan is compiled with USE_DYNAMICDNS, so that
> on initiating, it will do a new lookup on the dns name, which you can
> then update (eg dyndns and friends)

So, I set up SysA.example.com and SysB.example.com as dynamic DNS
entries then set these hostnames as the addresses specified in the
openswan config...

In the event that:
* System A's main link fails, and it is assigned internal IP X by its
network provider, appearing as IP Y to the outside world
* System A attempts to connect to System B
... what kind of checks will System B perform, if any, against System
A's hostname (SysA.example.com), System A's interface IP X and System
A's apparent IP Y?

My thoughts are that if both ends know one another's endpoint IDs and
shared secret or certificate(s), checking whether or not the hostname
and/or IPs match isn't as important.. would I have to instruct
openswan along these lines?

If some of these checks can't be disabled, what is openswan expecting?
SysA == IP X... SysA == IP Y.. IP X == IP Y unless nat traversal explicitly set?

When a link goes down, my understanding is that IPsec won't know about
it until it attempts to rekey, but that I could set a uniqueids option
and provided that the host that changed links immediately went to
re-establish the link, upon connecting it with the as yet unknowing
peer, it would remove the stale session in the process?

More information about the Users mailing list