[Openswan Users] Dynamic DNS and multiple Road Warrior tunnel problem

Paul Wouters paul at xelerance.com
Mon Jul 11 22:45:45 EDT 2011


On Mon, 11 Jul 2011, Curu Wong wrote:

> I am using Openswan 2.6.33 on CentOS 5. and have two tunnel definition, here's some excerpt from gw2:
> 
> conn gw1-gw2:
>     right=mygw1xx.dyndns.org
>    ...
> 
> conn l2tp-x509:
>     right=%any
> 
> I think other part of the configuration is not related to my problem, so not include them here. 
> 
> And here's the problem I am facing. My gw1 connects to the Internet with ADSL, which changes its IP address regularly.  I have setup gw1 to restart ipsec service every time
> its IP has changed.
> However, the restart seems couldn't solve the problem. from /var/log/secure, I noticed that when gw1's IP changed, all its connection will then be processed by the l2tp-x509
> connection, which will definitelly fail. As a result, the tunnel between gw1 and gw2 can't be established again, unless I restart the ipsec service on gw2 manually.
> 
> I have also tried to set both conn's right to %any. Which will then work fine. However, all incoming ipsec negotiate will first be processed by conn gw1-gw2, if it fails, then
> processed by conn l2tp-x509 and succeed. But I don't like this, because many of my ipsec connection will come from road warrior, not gw1.
> 
> Can anyone please  tell me if my configuration is bad? Or how can I fix this problem elegantly?

Add a rightid/leftid to gw1-gw2, and put the connection in aggrmode=yes (or in ikev2=yes) and
use right=%any

I think that should fix it,

Paul



More information about the Users mailing list