[Openswan Users] DDNS can not work

Nick Howitt n1ck.h0w1tt at gmail.com
Sun Jul 29 09:56:38 EDT 2012


Ozai
There are a couple of things you could do. In your Openswan1 conn, set 
left=%defaultroute and leftid=@something then in ipsec.secrets instead 
of using an IP address or FQDN for left, use @something.

In the Openswan2 end you could change right=%any and, rightid=@something 
and auto=add. Then in ipsec.secrets instead of using an IP address or 
FQDN for right, use @something.This way openswan1 will always contact 
openswan2 and not vice-versa and you become relatively independent of 
the DDNS issue.

Instead of using %defaultroute for openswan1 and right=%any at openswan2 
you could use an FQDN to designate openswan1 and configure DPD with an 
action restart-by-peer. This will re-read the FQDN's when the conn goes 
down. This has 2 issues. Firstly you have to wait until the new IP 
address propagates through the DDNS system and secondly, I recently 
turned up a bug that if the FQDN fails to resolve (say for a local 
internet interruption) then ipsec terminates. I believe a bug has been 
filed for this.

Nick
On 27/07/2012 11:55, Ozai wrote:
> Dear Sirs,
>
> I tested the openwan with DDNS feature.the test environment is as below.
> The left side is the DDNS hostname.First time,the tunnel can work 
> smoothly.But If the IP address of hostname was changed by DDNS,The 
> openswan2 always seem to used old IP address to make the connection.It 
> did not seem to change the IP address automatically to make the 
> connection.Do you have any suggestion on it?thank's.
>
> 192.168.1.x-------openswan1 with 
> DDNS----------openswan2-----------192.168.2.x
>
> Best Regards,
> Ozai
>
> #
> # cat ipsec.conf
> config setup
>                nat_traversal=no
>                oe=off
>                protostack=netkey
>                interfaces=%defaultroute
> conn test
>                left=1.169.145.217
>                leftsubnet=192.168.2.0/24
>                rightsubnet=192.168.1.0/24
>                connaddrfamily=ipv4
>                right=aaa.bbb.ccc
>                leftid=2.2.2.2
>                rightid=1.1.1.1
>                keyexchange=ike
>                ike=3des-md5;modp1024!
>                salifetime=480m
>                phase2=esp
>                phase2alg=3des-hmac_md5!
>                pfs=no
>                ikelifetime=60m
>                dpdaction=restart
>                dpddelay=180
>                dpdtimeout=5
>                type=tunnel
>                authby=secret
>                aggrmode=yes
>                auto=add
> # cat ipsec.secrets
> 2.2.2.2 1.1.1.1 : PSK "12345"
> #
>
> #
> # ipsec auto --status
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface br0/br0 2001:b010:7030:f801:204:edff:fe78:5678
> 000 interface ppp0.1/ppp0.1 2001:b010:7030:f800:951f:147d:d5d6:2361
> 000 interface lo/lo 127.0.0.1
> 000 interface br0/br0 192.168.2.254
> 000 interface ppp0.1/ppp0.1 1.169.145.217
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either virtual_private= is not specified, or there is a 
> syntax
> 000          error in that line. 'left/rightsubnet=vhost:%priv' will 
> not work!
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be 
> excluded!
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
> keysizema
> x=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysize
> max=192
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizem
> ax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysize
> max=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, 
> keysizemin=128, k
> eysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160
> , keysizemax=160
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, 
> keysizemin=0
> , keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=19
> 2
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=12
> 8
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
> trans={0,0,0} at
> trs={0,0,0}
> 000
> 000 "test": 
> 192.168.2.0/24===1.169.145.217<1.169.145.217>[2.2.2.2]...1.171.252.2
> 36<aaa.bbb.ccc>[1.1.1.1]===192.168.1.0/24; prospective erouted; erout
> e owner: #0
> 000 "test":     myip=unset; hisip=unset;
> 000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
> rekey_fuz
> z: 100%; keyingtries: 0
> 000 "test":   policy: 
> PSK+ENCRYPT+TUNNEL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+r
> KOD; prio: 24,24; interface: ppp0.1;
> 000 "test":   dpd: action:restart; delay:180; timeout:5;
> 000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "test":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); fla
> gs=strict
> 000 "test":   IKE algorithms found: 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "test":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=strict
> 000 "test":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
> 000
> 000 #6: "test":500 STATE_AGGR_I1 (sent AI1, expecting AR1); 
> EVENT_RETRANSMIT in
> 2s; nodpd; idle; import:respond to stranger
> 000 #6: pending Phase 2 for "test" replacing #2
>
> <error 
> messgas>-----------------------------------------------------------------------------------------------
>
> Jan  1 00:44:11 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:44:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:44:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:44:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:44:51 authpriv warn pluto[7794]: "test" #4: max number of 
> retransmissions (5) reached STATE_AGGR_I1
> Jan  1 00:44:51 authpriv warn pluto[7794]: "test" #4: starting keying 
> attempt 3 of an unlimited number
> Jan  1 00:44:51 authpriv warn pluto[7794]: "test" #5: initiating 
> Aggressive Mode #5 to replace #4, connection "test"
> Jan  1 00:44:51 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:45:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:45:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:45:21 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:45:56 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:46:01 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:46:06 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:46:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:46:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:46:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:46:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:46:41 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:47:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:47:21 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:47:56 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:48:01 authpriv warn pluto[7794]: "test" #5: max number of 
> retransmissions (5) reached STATE_AGGR_I1
> Jan  1 00:48:01 authpriv warn pluto[7794]: "test" #5: starting keying 
> attempt 4 of an unlimited number
> Jan  1 00:48:01 authpriv warn pluto[7794]: "test" #6: initiating 
> Aggressive Mode #6 to replace #5, connection "test"
> Jan  1 00:48:01 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:48:06 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:48:11 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:48:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:48:31 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:48:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:49:11 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:49:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:49:51 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:49:56 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:50:06 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:50:06 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:50:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: received Vendor ID payload [Dead Peer Detection]
> Jan  1 00:50:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:50:31 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:50:36 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
> Jan  1 00:51:11 authpriv warn pluto[7794]: "test" #6: max number of 
> retransmissions (5) reached STATE_AGGR_I1
> Jan  1 00:51:11 authpriv warn pluto[7794]: "test" #6: starting keying 
> attempt 5 of an unlimited number
> Jan  1 00:51:11 authpriv warn pluto[7794]: "test" #7: initiating 
> Aggressive Mode #7 to replace #6, connection "test"
> Jan  1 00:51:11 authpriv warn pluto[7794]: ERROR: asynchronous network 
> error report on ppp0.1 (sport=500) for message to 1.171.252.236 port 
> 500, complainant 1.171.252.236: Connection refused [errno 146, origin 
> ICMP type 3 code 3 (not authenti
> Jan  1 00:51:16 authpriv warn pluto[7794]: packet from 
> 1.161.41.98:500: initial Aggressive Mode message from 1.161.41.98 but 
> no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list