<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I've no idea, but I thought "hold" was only for only fixed IP's.<br>
<br>
<div class="moz-cite-prefix">On 16/09/2015 10:31, Tony Whyman wrote:<br>
</div>
<blockquote cite="mid:55F936F7.4050303@mccallumwhyman.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
I could certainly try that. Would that force a DNS refresh?<br>
<br>
<div class="moz-cite-prefix">On 16/09/15 10:30, Nick Howitt wrote:<br>
</div>
<blockquote cite="mid:55F936A5.1060601@howitts.co.uk" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Do you need to use the "hold" state? Can you set DPD action to
clear the conn so it renegotiates?<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/09/2015 10:25, Tony Whyman
wrote:<br>
</div>
<blockquote cite="mid:55F9356E.9040303@mccallumwhyman.com"
type="cite"> <br>
Looking at the Wiki, there is the following statement: <br>
<br>
"When connections rekey, dynamic dns support performs a fresh
dns lookup to support IPsec gateways on dynamic IP using DNS
names, such as dyndns.org." <br>
<br>
But is this also true of SAs in the hold state? My tests
suggest not. <br>
<br>
The scenario that I am trying to get working is when both
IPSec gateways are behind NAT routers using dynamic IP
Addresses. Both also use a DDNS service. I would like the
setup to be symmetric with both having an "auto=start" entry,
and with right/left entries being the Domain Names of the
gateways on the DDNS services. the NAT routers are set up to
always route ports 500 and 4500 to these gateways. <br>
<br>
In tests this all works fine until one of the IP Addresses
changes when it stops working, the SAs go into the hold state
and stay that way. Looking at the IPSec gateway that has not
changed its dynamic IP Address, it is clearly still using the
old IP Address even after 30 mins of idling. <br>
<br>
It's easy enough to kick it back into life with "ipsec auto
--add <connection name>", but that seems to be the only
way to recover. <br>
<br>
At the same time, I also had SAs set up to a gateway on a
static IP Address, with anonymous connection configuration
i.e. <br>
<br>
right=%any <br>
rightsubnet=vhost:%no,%priv <br>
<br>
for the gateway behind the dynamic IP Address. This SA
recovered with no problem. <br>
<br>
So there does seem to be an IP Address agility issue here. I
could set up a separate monitoring process to check for DDNS
changes and kick pluto with an appropriate "auto --add" when
the change is detected, but ideally libreswan should be able
to handle this case automatically. So: <br>
<br>
1. When an explicit domain name is given as a left/right entry
does this prevent IP Address changes at the other end? <br>
<br>
2. Is it possible for pluto to refresh (expired) DNS entries
while an SA is in the hold state or otherwise not connected? <br>
<br>
Regards <br>
<br>
Tony Whyman <br>
MWA <br>
_______________________________________________ <br>
Swan mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>