[Openswan Users] How does USE_DYNAMICDNS work?

Paul Wouters paul at xelerance.com
Sat Jun 20 14:18:56 EDT 2009

On Sat, 20 Jun 2009, Nick Howitt wrote:

> I am curious to know what the USE_DYNAMICDNS option does.
> On initiating a tunnel does it keep re-evaluating any FQDN in ipsec.conf
> each time it tries (e.g both left= and right=, also both leftid= and
> rightid= if necessary), or does it just re-evaluate one end?

David will know for sure, but I believe it will re-evaluate after
an "up" or "replace" command, and when DPD kicks it to start those.

> When not initiating a tunnel (i.e. responding to the far end
> initiating), does it re-evaluate right= (and rightid=) each time a
> connection attempt is made or are you still forced to use %any for
> right=? (Assuming the far end is right).

You should still use %any on the responder.

> How often is %defaultroute re-evaluated? Each connection attempt or just
> when the connection is added?

I assume only at startup. It is only used to determine the interface for
the outgoing packets on klips (and some other rare corner cases). It should
not interfere too much

> How is ipsec.secrets treated? Again, are the secrets automatically
> re-evaluated each connection attempt or must you continually re-read the
> secrets?

Use "%any" ?

> Lastly, how can you tell if your version of openswan has been compiled

There is no method for this yet. A quick and dirty way is:

grep "resolved dynamic peer IP address" /usr/local/libexec/ipsec/pluto

If grep says "binary file matches", you have it.

It was not enabled per default until 2.6.22dr1.


More information about the Users mailing list