Am Dienstag, 25. Februar 2003 05:35 schrieb Brock Nanson: > > From: "K.-P. =?iso-8859-15?q?Kirchd=F6rfer?=" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Date: Mon, 24 Feb 2003 18:23:39 +0100 > > Subject: [leaf-user] vpn with dynamic ip (long) > > > > Hello; > > > > The problem/situation is: > > I have two LEAF routers with dynamic ip's, changing at least once a day. > > Both are setup with latest Bering-uClibc 1.1. > > > > I build a solution, but I'm not shure if that's the way to go. > > Please review, esp regarding security (vpn/shorewall issues). > > -----------S-----N-----I-----P-------- > > I'm curious to know why you elected to ping the other end to look for a > change? I'm assuming you look at the IP that is returned, rather than > whether you get a ping response?
In fact I'm looking if there is NO response. The setup is that the ping to remote.dyndns.org is only possible via the tunnel - and as long as the tunnel is up and alive nothing happens. If ping fails, the ip address on either node changed -> tunnels broken, ipsec will be restarted. > Could you not watch the local public IP and tear down/ rebuild the tunnels > when a change is detected? Assuming the IP changes on both ends didn't > happen at the same time (and maybe even if they did) this should work (?) My experience has been, that ipsec is bound on ip adress, and changes of ip number breaks tunnels forever (expired SA or an error like that, can't remember) > You could also have it automatically update the dynamic dns provider when > the change is seen, rather than wait for a heartbeat? dns name resolution is no problem, done with ip-up and ez-ipupdate. Very small delay. > I note you haven't included a retry value... when I last looked, the retry > function didn't check the dns. Rather it just blindly pounded away at the > IP it last saw the other gateway. So not having this value is probably the Yes, that doesn't work with dns; life would have been easier... > As for security, could you limit connections to the subnet the other end is > on? I don't worry too much about opening up things the way you have, but > you might be able to fine tune things a little? Are you talking about policy/rules in shorewall? Yes, that could and should be done, anyway, that's something I'm aware and will be adjusted once I know what ports have to opened. At the moment I just wanted to make shure, that everything is working as expected and didn't want to debug ipsec, while missing iptables rules arre the culprit... > Luckily all my dynamic gateways connect to a static or I'd be asking for > your script... ;-) If none complains, this will end as a small LEAF FAQ chapter :) Thanks for comments. kp ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
