<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 11/12/2015 19:19, Paul Wouters
wrote:<br>
</div>
<blockquote
cite="mid:alpine.LFD.2.20.1512111414140.17670@bofh.nohats.ca"
type="cite">
<br>
On Thu, 10 Dec 2015, Tony Whyman wrote:
<br>
<br>
<blockquote type="cite">The thread on converting from Openswan to
Libreswan reminded me of the following script that I have added
to all my Ubuntu systems which use DHCP rather than static IP
addresses. The script is installed as:
<br>
<br>
/etc/network/if-up.d/ipsec
<br>
<br>
and seems to be necessary for pluto to recognise a change to the
local IP Address.
<br>
</blockquote>
<br>
That's a rather blunt hammer. You should replace that with only:
<br>
<br>
ipsec whack --listen
<br>
<br>
<blockquote type="cite">have such a script. I started installing
this script with Openswan and it still seems necessary with
Libreswan (1.15). Without it there seems to be a race condition
on startup with pluto sometimes failing to pick the external
interface, especially if DHCP is a bit slow. The script is
essential when I am using a Laptop and moving between WiFi
networks.
<br>
</blockquote>
<br>
There is a bit of history behind this. Originally, pluto's design
was
<br>
not meant to gain or lose IP addresses on the fly. However, the
world
<br>
changes and this now happens for everyone. pluto should be
extended to
<br>
deal with this. In a NetworkManager world, NM can send a notify
that
<br>
pluto could act on. But it might be easier and more generic for
pluto
<br>
to monitor for networking changes itself.
<br>
<br>
Note that pluto "orients" connections to determine if it is "left"
or
<br>
"right" when the connection loads. So a network change might
require
<br>
re-orienting connections. That's fine for connections loaded and
not
<br>
up. What to do with active tunnels is more tricky.
<br>
<br>
</blockquote>
But aren't the active tunnels de facto dead as the far end at that
point is still trying to communicate to the old IP address and may
even have to wait for DNS propagation to be able to reconnect?<br>
<blockquote
cite="mid:alpine.LFD.2.20.1512111414140.17670@bofh.nohats.ca"
type="cite">
<blockquote type="cite">to see which interfaces pluto is listening
on. Then connect the network and once the IP Address is
assigned, run the above again. Without the script there is no
change to the interfaces that pluto is listening on. With the
script - pluto will have picked up the new IP Address. It's a
pity a full restart is necessary but I can't seem to find any
other way to get pluto to update its attachments.
<br>
</blockquote>
<br>
I guess you should look at what event triggers when DHCP
completes, and
<br>
cause that event to run "ipsec whack --listen".
<br>
</blockquote>
Have a look at /etc/dhcp/dhclient-exit-hooks. The only thing is,
when I tried using it in a very basic way, it triggered every time
the lease was renewed. There may be options only to trigger on IP
change. I stopped looking at that point as my "dynamic IP" is
virtually static and has not changed in over a year now.<br>
<blockquote
cite="mid:alpine.LFD.2.20.1512111414140.17670@bofh.nohats.ca"
type="cite">
<br>
Paul
<br>
_______________________________________________
<br>
Swan mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
</blockquote>
<br>
</body>
</html>