[Swan] Dynamic Hosts

Paul Wouters paul at nohats.ca
Fri Nov 27 16:34:11 UTC 2015

On Fri, 27 Nov 2015, John Crisp wrote:

> We are using 3.15 currently on CentOS6 and working on Libre-Libre
> connections.
> We have a nice simple working setup with PSK that works well with static
> IPs. The problems occur with a Dynamic 'Client/Host' I know this is not
> a favoured solution but.....

> First is matching identities. I have tried a variety of combinations of
> DPD actions/Timeouts etc and things like
> right=%any
> rightid=remote.dyndns.org
> rightid=@remote.dyndns.org

You should use the DNS name (or %any/%defaultroute) for the right/left and
the syntax with the @ for the ID (to prevent the ID from being resolved
as a hostname)

> It seems the ID from the Dynamic host does not match the secret but I

If you use rightid=@remote.dyndns.org and leftid=@local.dyndns.org then
use in ipsec.secrets:

@remote.dyndns.org @local.dyndns.org : PSK "yoursecret"

Note that if your local IP changes, you must run:

ipsec whack --listen
ipsec auto --replace yourconn
(and ipsec auto --up yourconn if you want to start it right away)


More information about the Swan mailing list