[Swan] Hold state and Dynamic DNS

Tony Whyman tony.whyman at mccallumwhyman.com
Wed Sep 16 09:31:35 UTC 2015

I could certainly try that. Would that force a DNS refresh?

On 16/09/15 10:30, Nick Howitt wrote:
> Do you need to use the "hold" state? Can you set DPD action to clear 
> the conn so it renegotiates?
> Nick
> On 16/09/2015 10:25, Tony Whyman wrote:
>> Looking at the Wiki, there is the following statement:
>> "When connections rekey, dynamic dns support performs a fresh dns 
>> lookup to support IPsec gateways on dynamic IP using DNS names, such 
>> as dyndns.org."
>> But is this also true of SAs in the hold state? My tests suggest not.
>> The scenario that I am trying to get working is when both IPSec 
>> gateways are behind NAT routers using dynamic IP Addresses. Both also 
>> use a DDNS service. I would like the setup to be symmetric with both 
>> having an "auto=start" entry, and with right/left entries being the 
>> Domain Names of the gateways on the DDNS services. the NAT routers 
>> are set up to always route ports 500 and 4500 to these gateways.
>> In tests this all works fine until one of the IP Addresses changes 
>> when it stops working, the SAs go into the hold state and stay that 
>> way. Looking at the IPSec gateway that has not changed its dynamic IP 
>> Address, it is clearly still using the old IP Address even after 30 
>> mins of idling.
>> It's easy enough to kick it back into life with "ipsec auto --add 
>> <connection name>", but that seems to be the only way to recover.
>> At the same time, I also had SAs set up to a gateway on a static IP 
>> Address, with anonymous connection configuration i.e.
>>     right=%any
>>     rightsubnet=vhost:%no,%priv
>> for the gateway behind the dynamic IP Address. This SA recovered with 
>> no problem.
>> So there does seem to be an IP Address agility issue here. I could 
>> set up a separate monitoring process to check for DDNS changes and 
>> kick pluto with an appropriate "auto --add" when the change is 
>> detected, but ideally libreswan should be able to handle this case 
>> automatically.  So:
>> 1. When an explicit domain name is given as a left/right entry does 
>> this prevent IP Address changes at the other end?
>> 2. Is it possible for pluto to refresh (expired) DNS entries while an 
>> SA is in the hold state or otherwise not connected?
>> Regards
>> Tony Whyman
>> MWA
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150916/796eca0a/attachment.html>

More information about the Swan mailing list