[Openswan Users] Dynamic DNS and multiple Road Warrior tunnel problem
Paul Wouters
paul at xelerance.com
Mon Jul 11 22:45:45 EDT 2011
On Mon, 11 Jul 2011, Curu Wong wrote:
> I am using Openswan 2.6.33 on CentOS 5. and have two tunnel definition, here's some excerpt from gw2:
>
> conn gw1-gw2:
> right=mygw1xx.dyndns.org
> ...
>
> conn l2tp-x509:
> right=%any
>
> I think other part of the configuration is not related to my problem, so not include them here.
>
> And here's the problem I am facing. My gw1 connects to the Internet with ADSL, which changes its IP address regularly. I have setup gw1 to restart ipsec service every time
> its IP has changed.
> However, the restart seems couldn't solve the problem. from /var/log/secure, I noticed that when gw1's IP changed, all its connection will then be processed by the l2tp-x509
> connection, which will definitelly fail. As a result, the tunnel between gw1 and gw2 can't be established again, unless I restart the ipsec service on gw2 manually.
>
> I have also tried to set both conn's right to %any. Which will then work fine. However, all incoming ipsec negotiate will first be processed by conn gw1-gw2, if it fails, then
> processed by conn l2tp-x509 and succeed. But I don't like this, because many of my ipsec connection will come from road warrior, not gw1.
>
> Can anyone please tell me if my configuration is bad? Or how can I fix this problem elegantly?
Add a rightid/leftid to gw1-gw2, and put the connection in aggrmode=yes (or in ikev2=yes) and
use right=%any
I think that should fix it,
Paul
More information about the Users
mailing list