[Swan] Hold state and Dynamic DNS

Tony Whyman tony.whyman at mccallumwhyman.com
Wed Sep 16 09:25:02 UTC 2015

Looking at the Wiki, there is the following statement:

"When connections rekey, dynamic dns support performs a fresh dns lookup 
to support IPsec gateways on dynamic IP using DNS names, such as 

But is this also true of SAs in the hold state? My tests suggest not.

The scenario that I am trying to get working is when both IPSec gateways 
are behind NAT routers using dynamic IP Addresses. Both also use a DDNS 
service. I would like the setup to be symmetric with both having an 
"auto=start" entry, and with right/left entries being the Domain Names 
of the gateways on the DDNS services. the NAT routers are set up to 
always route ports 500 and 4500 to these gateways.

In tests this all works fine until one of the IP Addresses changes when 
it stops working, the SAs go into the hold state and stay that way. 
Looking at the IPSec gateway that has not changed its dynamic IP 
Address, it is clearly still using the old IP Address even after 30 mins 
of idling.

It's easy enough to kick it back into life with "ipsec auto --add 
<connection name>", but that seems to be the only way to recover.

At the same time, I also had SAs set up to a gateway on a static IP 
Address, with anonymous connection configuration i.e.


for the gateway behind the dynamic IP Address. This SA recovered with no 

So there does seem to be an IP Address agility issue here. I could set 
up a separate monitoring process to check for DDNS changes and kick 
pluto with an appropriate "auto --add" when the change is detected, but 
ideally libreswan should be able to handle this case automatically.  So:

1. When an explicit domain name is given as a left/right entry does this 
prevent IP Address changes at the other end?

2. Is it possible for pluto to refresh (expired) DNS entries while an SA 
is in the hold state or otherwise not connected?


Tony Whyman

More information about the Swan mailing list