[Swan] Dynamic Hosts

John Crisp jcrisp at safeandsoundit.co.uk
Sun Nov 29 01:52:49 UTC 2015 

Hi Paul, and thanks !

On 27/11/15 17:34, Paul Wouters wrote:
> On Fri, 27 Nov 2015, John Crisp wrote:
> 
> 
> You should use the DNS name (or %any/%defaultroute) for the right/left and
> the syntax with the @ for the ID (to prevent the ID from being resolved
> as a hostname)
> 

Ok - we got it thank you... we got our wires crossed here... !

>> It seems the ID from the Dynamic host does not match the secret but I
> 
> If you use rightid=@remote.dyndns.org and leftid=@local.dyndns.org then
> use in ipsec.secrets:
> 
> @remote.dyndns.org @local.dyndns.org : PSK "yoursecret"
> 

OK - we'll try that. Think we may have had the same issue with mixing
the IDs as above.

> Note that if your local IP changes, you must run:
> 
> ipsec whack --listen
> ipsec auto --replace yourconn
> (and ipsec auto --up yourconn if you want to start it right away)
> 

OK, I understand that on the dynamic.... with this particular dynamic it
is really just on reboots when it gets a new IP.

On the static host we set the dpd to clear, the dynamic goes offline,
the static clears the connection correctly but when the dynamic host
comes back up with a new IP the static refuses to accept the connection.


I believe that this is the case for IKE v1 (?), but for IKE v2 I believe
it can just use IDs but we tried that and it was a miserable fail....
the static never accepts the new IP or an ID until the static has been
restarted.


Here 5.6.7.8 is the dynamic with its new IP address trying to reconnect

1.2.3.4 is the static host.

Using rsasig and IKE v2 which works once both ends are restarted :

Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message
received on 1.2.3.4:500 but no connection has been authorized with
policy RSASIG+IKEV2_ALLOW
Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message
received on 1.2.3.4:500 but no connection has been authorized with
policy PSK+IKEV2_ALLOW
Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message
received on 1.2.3.4:500 but no connection has been authorized with
policy AUTHNULL+IKEV2_ALLOW
Nov 29 02:22:31: packet from 5.6.7.8:500: sending unencrypted
notification v2N_NO_PROPOSAL_CHOSEN to 5.6.7.8:500


ipsec whack --status shows static still looking for the old IP address.

"TestToRemote":
192.168.80.0/24===1.2.3.4[@Remote]---60.x.x.1...4.3.2.1<previousip.dyndns.org>[@Local]===192.168.20.0/24;
prospective erouted; eroute owner: #0

"TestToRemote":   policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW;

Unless static is restarted the connection will not come up. I'm not sure
if we are doing the impossible or not ? :-)


As a side issue we also saw a few errors in the logs whilst testing ike v2 :

3.15

On static :
EXPECTATION FAILED at
/home/john/rpmbuild/BUILD/libreswan-3.15/programs/pluto/ikev2_parent.c:3930:
!IS_CHILD_SA(st)

On Dynamic :
EXPECTATION FAILED at
/home/john/rpmbuild/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r
!= NULL

Any thoughts gratefully appreciated !

B. Rgds
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151129/846d8f5b/attachment.sig>

More information about the Swan mailing list