[Openswan Users] How does USE_DYNAMICDNS work?
Paul Wouters
paul at xelerance.com
Sat Jun 20 14:18:56 EDT 2009
On Sat, 20 Jun 2009, Nick Howitt wrote:
> I am curious to know what the USE_DYNAMICDNS option does.
>
> On initiating a tunnel does it keep re-evaluating any FQDN in ipsec.conf
> each time it tries (e.g both left= and right=, also both leftid= and
> rightid= if necessary), or does it just re-evaluate one end?
David will know for sure, but I believe it will re-evaluate after
an "up" or "replace" command, and when DPD kicks it to start those.
> When not initiating a tunnel (i.e. responding to the far end
> initiating), does it re-evaluate right= (and rightid=) each time a
> connection attempt is made or are you still forced to use %any for
> right=? (Assuming the far end is right).
You should still use %any on the responder.
> How often is %defaultroute re-evaluated? Each connection attempt or just
> when the connection is added?
I assume only at startup. It is only used to determine the interface for
the outgoing packets on klips (and some other rare corner cases). It should
not interfere too much
> How is ipsec.secrets treated? Again, are the secrets automatically
> re-evaluated each connection attempt or must you continually re-read the
> secrets?
Use "%any" ?
> Lastly, how can you tell if your version of openswan has been compiled
> with USE_DYNAMICDNS?
There is no method for this yet. A quick and dirty way is:
grep "resolved dynamic peer IP address" /usr/local/libexec/ipsec/pluto
If grep says "binary file matches", you have it.
It was not enabled per default until 2.6.22dr1.
Paul
More information about the Users
mailing list