[Swan] Dynamic Hosts

John Crisp jcrisp at safeandsoundit.co.uk
Fri Nov 27 15:23:45 UTC 2015 

We are using 3.15 currently on CentOS6 and working on Libre-Libre
connections.

We have a nice simple working setup with PSK that works well with static
IPs. The problems occur with a Dynamic 'Client/Host' I know this is not
a favoured solution but.....

We have noticed two apparent issues.

First is matching identities. I have tried a variety of combinations of
DPD actions/Timeouts etc and things like

right=%any
rightid=remote.dyndns.org
rightid=@remote.dyndns.org

(and with leftid too)

All to no avail.

It seems the ID from the Dynamic host does not match the secret but I
can't for the life of me see how to do this so the Dynamic host sends an
ID that the Static recognises.

Any suggestions on what I am doing wrong ? I am sure it is dead simple
but I have run out of ideas.

Current configs working once both ends are up and ipsec is started both
ends.



conn StaticToDynamic
    type=tunnel
    authby=secret
    auto=add
    ike=aes-sha1
    phase2alg=aes-sha1
    ikelifetime=3600s
    salifetime=28800s
    pfs=yes
    left=%defaultroute
    leftsourceip=192.168.90.1
    leftsubnet=192.168.90.0/24
    rightsubnet=192.168.20.0/24
    right=remote.dyndns.org

conn DynamicToStatic
    type=tunnel
    authby=secret
    auto=start
    ike=aes-sha1
    phase2alg=aes-sha1
    ikelifetime=3600s
    salifetime=28800s
    pfs=yes
    left=%defaultroute
    leftsourceip=192.168.20.1
    leftsubnet=192.168.20.0/24
    rightsubnet=192.168.90.0/24
    right=1.2.3.4 (Static host IP)


Secrets :

On static :

# StaticToDynamic is enabled
1.2.3.4 remote.dyndns.org : PSK "SomeLongAndComplicatedPassword"


On dynamic if we use this it works once the new IP is established :

# DynamicToStatic is enabled
{current.dynamic.ip} 1.2.3.4 : PSK "SomeLongAndComplicatedPassword"


If we use this with the domain name it does not work at all

# DynamicToStatic is enabled
remote.dyndns.org 1.2.3.4 : PSK "SomeLongAndComplicatedPassword"


This works on Static once the new IP is established :

# StaticToDynamic is enabled
1.2.3.4 %any : PSK "SomeLongAndComplicatedPassword"


Obviously %any is not so cool !

I am probably going to modify my script so that Dynamic clients HAVE to
use a minimum of rsasigs, but I'd like to know what we are doing right
or wrong.

Second issue seems to be when the Dynamic host renews it's IP this never
seems to be picked up by the Static host without a restart of ipsec on
the Static host, and a restart of ipsec on the Dynamic.

We also noted that if the Dynamic client comes up it tries to connect
several times and then just stops trying - or at least the Static hosts
sees no more attempts. keyringtries is set at 0 (left at default) so I
would think it would keep hammering away, but apparently not, and
Dynamic needs a restart to get it to go again

ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0;

Sequence we had to use to get it to work

Dynamic client up
Static host wait for new IP

Next two can be swapped...

Static :
ipsec auto --replace StaticToDynamic (once the new IP was recognised in DNS)

Dynamic :
ipsec restart

We've tried what feels like a million permutations on this !

Any other suggestions please ?

B. Rgds
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151127/9cdbecfb/attachment.sig>

More information about the Swan mailing list