> From: "K.-P. =?iso-8859-15?q?Kirchd=F6rfer?=" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Mon, 24 Feb 2003 18:23:39 +0100 > Subject: [leaf-user] vpn with dynamic ip (long) > > Hello; > > The problem/situation is: > I have two LEAF routers with dynamic ip's, changing at least once a day. > Both are setup with latest Bering-uClibc 1.1. > > I build a solution, but I'm not shure if that's the way to go. > Please review, esp regarding security (vpn/shorewall issues). -----------S-----N-----I-----P--------
I'm curious to know why you elected to ping the other end to look for a change? I'm assuming you look at the IP that is returned, rather than whether you get a ping response? Could you not watch the local public IP and tear down/ rebuild the tunnels when a change is detected? Assuming the IP changes on both ends didn't happen at the same time (and maybe even if they did) this should work (?) You could also have it automatically update the dynamic dns provider when the change is seen, rather than wait for a heartbeat? I note you haven't included a retry value... when I last looked, the retry function didn't check the dns. Rather it just blindly pounded away at the IP it last saw the other gateway. So not having this value is probably the right thing to do. I wonder if anyone has been watching the freeswan list (I got tired of politics) and could tell us whether this behavior has been changed? I seem to recall the developers had a reason not to do the recheck but I don't recall the details. I'm also not using the most recent version! As for security, could you limit connections to the subnet the other end is on? I don't worry too much about opening up things the way you have, but you might be able to fine tune things a little? Luckily all my dynamic gateways connect to a static or I'd be asking for your script... ;-) Brock ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
