<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Nick, Paul,<br>
<br>
Changed from left=victor.vouters.dyndns.org to:<br>
<b>1/ </b>left=alla.vouters.dyndns.org which is only known inside
the DNS table of my DSL router. This gives the following:<br>
[philippe@victor ~]$ nslookup alla.vouters.dyndns.org<br>
Server: 192.168.1.1<br>
Address: 192.168.1.1#53<br>
<br>
Name: alla.vouters.dyndns.org<br>
Address: 192.168.1.4<br>
[philippe@victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK<br>
opening file: /etc/ipsec.conf<br>
debugging mode enabled<br>
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from
line /etc/ipsec.conf:26<br>
Loading conn Philippe_PSK<br>
while loading conn 'Philippe_PSK' also including
'FIXED_RIGHT_IP'<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn DHCP_RIGHT_IP<br>
starter: check what we need to do for 'alla.vouters.dyndns.org' <br>
starter: ttoaddr_num failed, not numeric
'alla.vouters.dyndns.org' <br>
Calling unbound_resolve() for endpoint value<br>
starter: Resolved to alla.vouters.dyndns.org !<br>
while loading 'DHCP_RIGHT_IP': <b>Resolving failed for remote
address =alla.vouters.dyndns.org</b><br>
<br>
Loading conn FIXED_RIGHT_IP<br>
starter: case KH_DEFAULTROUTE: empty<br>
loading named conns: Philippe_PSK<br>
parse_src = 0, parse_gateway = 1, has_dst = 0<br>
dst via 192.168.1.1 dev eth0 src <br>
set nexthop: 192.168.1.1<br>
dst 169.254.0.0 via dev eth0 src <br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.1 via dev lo src 127.0.0.1<br>
dst 127.255.255.255 via dev lo src 127.0.0.1<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2<br>
<br>
parse_src = 1, parse_gateway = 0, has_dst = 1<br>
dst 192.168.1.1 via dev eth0 src 192.168.1.2<br>
set addr: 192.168.1.2<br>
002 "Philippe_PSK": deleting connection<br>
002 added connection description "Philippe_PSK"<br>
<br>
So the unbound library fails in this case as well as addconn.<br>
<br>
<b>2/ </b>left=vouters.dyndns.org with vouters.dyndns.org DNS
known by both dyndns.com and my DSL box. Here is the result:<br>
[philippe@victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK<br>
opening file: /etc/ipsec.conf<br>
debugging mode enabled<br>
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from
line /etc/ipsec.conf:26<br>
Loading conn Philippe_PSK<br>
while loading conn 'Philippe_PSK' also including
'FIXED_RIGHT_IP'<br>
starter: case KH_DEFAULTROUTE: empty<br>
Loading conn DHCP_RIGHT_IP<br>
starter: check what we need to do for 'vouters.dyndns.org' <br>
starter: ttoaddr_num failed, not numeric 'vouters.dyndns.org' <br>
Calling unbound_resolve() for endpoint value<br>
starter: Resolved to vouters.dyndns.org !<br>
Loading conn FIXED_RIGHT_IP<br>
starter: case KH_DEFAULTROUTE: empty<br>
loading named conns: Philippe_PSK<br>
parse_src = 0, parse_gateway = 1, has_dst = 0<br>
dst via 192.168.1.1 dev eth0 src <br>
set nexthop: 192.168.1.1<br>
dst 169.254.0.0 via dev eth0 src <br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.0 via dev lo src 127.0.0.1<br>
dst 127.0.0.1 via dev lo src 127.0.0.1<br>
dst 127.255.255.255 via dev lo src 127.0.0.1<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2<br>
<br>
parse_src = 1, parse_gateway = 0, has_dst = 1<br>
dst 192.168.1.1 via dev eth0 src 192.168.1.2<br>
set addr: 192.168.1.2<br>
002 "Philippe_PSK": deleting connection<br>
002 added connection description "Philippe_PSK"<br>
[philippe@victor ~]$ <br>
<br>
So the unbound library succeeds in this case. addconn also
succeeds to correctly set up Philippe_PSK.<br>
<br>
<b>Explanation thanks to Wireskark:</b><br>
The unbound library does not use at all the information in
/etc/resolv.conf but query fixed known DNS servers (namely
<letter>.root-servers.net computers). It ends up in the
second successful case into dyndns.com returning the public IP
address of my DSL box. Provided the unbound library had query
using the information in /etc/resolv.conf, it would have returned
my computer IP address inside my home network.<br>
<br>
In the hope this clarifies.<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 06/01/2013 20:59, Philippe Vouters a écrit :<br>
</div>
<blockquote cite="mid:50E9D7B1.4030700@laposte.net" type="cite">Paul,
Nick,
<br>
<br>
There is at least one visible bug here:
<br>
<br>
1/ DHCP_RIGHT_IP is taken into account despite auto=ignore
<br>
<br>
2/ unbound_resolve() failed to resolve victor.vouters.dyndns.org.
<br>
<br>
The second error can eventually be explained by:
<br>
<br>
[philippe@victor ~]$ nslookup
victor.vouters.dyndns.org Server:
192.168.1.1
<br>
Address: 192.168.1.1#53
<br>
<br>
** server can't find victor.vouters.dyndns.org: NXDOMAIN
<br>
<br>
despite:
<br>
<br>
[philippe@victor ~]$ hostname
<br>
victor.vouters.dyndns.org
<br>
[philippe@victor ~]$ cat /etc/hosts
<br>
# Do not remove the following line, or various programs
<br>
# that require network functionality will fail.
<br>
127.0.0.1 localhost.localdomain localhost
victor.localdomain
<br>
::1 localhost6.localdomain6 localhost6
<br>
192.168.1.2 victor.vouters.dyndns.org victor <a class="moz-txt-link-abbreviated" href="http://www.vouters.com">www.vouters.com</a>
<br>
...
<br>
[philippe@victor ~]$
<br>
<br>
[philippe@victor ~]$ sudo cat /etc/ipsec.d/vouters.conf
<br>
# Mutual PSK
<br>
conn Philippe_PSK
<br>
authby=secret
<br>
# leftsourceip=192.168.1.2
<br>
also=FIXED_RIGHT_IP
<br>
<br>
conn DHCP_RIGHT_IP
<br>
type=tunnel
<br>
pfs=yes
<br>
dpddelay=30
<br>
dpdtimeout=120
<br>
dpdaction=restart
<br>
left=victor.vouters.dyndns.org
<br>
# leftnexthop=%defaultroute
<br>
leftprotoport=udp/bootps
<br>
leftupdown="ipsec _updown --route yes"
<br>
right=%any
<br>
rightsubnetwithin=192.168.1.0/24
<br>
rightprotoport=udp/bootps
<br>
rekey=no
<br>
auto=ignore
<br>
# auto=add
<br>
<br>
conn FIXED_RIGHT_IP
<br>
type=tunnel
<br>
pfs=yes
<br>
dpddelay=30
<br>
dpdtimeout=120
<br>
dpdaction=restart
<br>
left=%defaultroute
<br>
leftnexthop=%defaultroute
<br>
leftsubnet=0.0.0.0/0
<br>
leftupdown="ipsec _updown --route yes"
<br>
right=%any
<br>
rightsubnet=vhost:%no,%priv
<br>
rekey=no
<br>
auto=add
<br>
[philippe@victor ~]$ sudo /usr/local/sbin/ipsec addconn --verbose
Philippe_PSK
<br>
opening file: /etc/ipsec.conf
<br>
debugging mode enabled
<br>
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from
line /etc/ipsec.conf:26
<br>
Loading conn Philippe_PSK
<br>
while loading conn 'Philippe_PSK' also including
'FIXED_RIGHT_IP'
<br>
starter: case KH_DEFAULTROUTE: empty
<br>
Loading conn DHCP_RIGHT_IP
<br>
starter: check what we need to do for 'victor.vouters.dyndns.org'
<br>
starter: ttoaddr_num failed, not numeric
'victor.vouters.dyndns.org'
<br>
Calling unbound_resolve() for endpoint value
<br>
starter: Resolved to victor.vouters.dyndns.org !
<br>
while loading 'DHCP_RIGHT_IP': Resolving failed for remote address
=victor.vouters.dyndns.org
<br>
<br>
Loading conn FIXED_RIGHT_IP
<br>
starter: case KH_DEFAULTROUTE: empty
<br>
loading named conns: Philippe_PSK
<br>
parse_src = 0, parse_gateway = 1, has_dst = 0
<br>
dst via 192.168.1.1 dev eth0 src
<br>
set nexthop: 192.168.1.1
<br>
dst 169.254.0.0 via dev eth0 src
<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2
<br>
dst 127.0.0.0 via dev lo src 127.0.0.1
<br>
dst 127.0.0.0 via dev lo src 127.0.0.1
<br>
dst 127.0.0.1 via dev lo src 127.0.0.1
<br>
dst 127.255.255.255 via dev lo src 127.0.0.1
<br>
dst 192.168.1.0 via dev eth0 src 192.168.1.2
<br>
dst 192.168.1.2 via dev eth0 src 192.168.1.2
<br>
dst 192.168.1.255 via dev eth0 src 192.168.1.2
<br>
<br>
parse_src = 1, parse_gateway = 0, has_dst = 1
<br>
dst 192.168.1.1 via dev eth0 src 192.168.1.2
<br>
set addr: 192.168.1.2
<br>
002 "Philippe_PSK": deleting connection
<br>
002 added connection description "Philippe_PSK"
<br>
[philippe@victor ~]$
<br>
<br>
[philippe@victor ~]$
<br>
<br>
</blockquote>
<br>
</body>
</html>