[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Thu Jan 24 19:44:01 UTC 2019


On Thu, 24 Jan 2019, Alex wrote:

> I'm continuing to work through your email, but I've noticed now a few
> times you've referred to the server having a dynamic IP and behind
> NAT, but I never said anything about it being behind NAT. It's an
> Optonline dynamic IP, currently 68.192.251.223. There is a
> 192.168.11.0/24 network on the internal interface that the
> laptops/desktops/phones use (or will use) through NAT on the server to
> get to the Internet.
>
> It is correct that orion is on the side of the fixed IP. That is the local side.
>
> Does this change the setup? You had also mentioned something about
> only devices behind NAT could initiate, but those devices aren't the
> ones running the VPN client.

It changes things slightly. If you are on dynamic IP but your machine
does have its DNS name updated when its IP address changes, then you
can use right=@DNSNAME and left=@DNSNAME and when the connection fails
(eg you enable DPD) then the DNS name will be looked up fresh. So in
that case, both ends can have auto=start and you can run ipsec auto --up
but you will not be using "%any" in that case.

If you do not have a static DNS name for the endpoint on dynamic IP,
then the static end will never be able to find it, so it can only use
right=%any and auto=add and not initiate the connection.

Paul


More information about the Swan mailing list