IPsec config with dynamic IP.

Thu, 18 Feb 2016 11:12:12 -0800 

I have an IPSec VPN endpoint running on OpenBSD on a cable
modem. Technically it has a dynamic IP but in practice the IP only changes
about once every 3 ~ 5 years. I run ddclient on the OpenBSD box to
maintain the dns name of the box so I can find it and that's working
well.

My ipsec configuration is base on certificates. Thus, my single point
of failure is DNS resolution. And my failure modality is that things
won't configure if DNS is unavailable. Specifically, my problem is
with startup of the ipsec infrastructure.

I get this error at startup:

     starting early daemons: syslogd pflogd ntpd isakmpd.
     no IP address found for ike-v1.example.com
     /etc/ipsec.conf: 15: could not parse host specification
     no IP address found for ike-v1.example.com
     /etc/ipsec.conf: 26: could not parse host specification
     no IP address found for ike-v1.example.com
     /etc/ipsec.conf: 35: could not parse host specification
     ipsecctl: Syntax error in config file: ipsec rules not loaded
     starting RPC daemons:.
     savecore: no core dump
     checking quotas: done.
     clearing /tmp
     kern.securelevel: 0 -> 1
     creating runtime link editor directory cache.
     preserving editor files.
     starting network daemons: sshd snmpd rtadvd smtpd.
     starting package daemons: squid isc_named netsnmpd.
     starting local daemons: cron.

Logging into the box and doing:

     # rcctl restart isakmpd
     ...
     # ipsecctl -F -f /etc/ipsec.conf
     ...

Makes everything good again. This leads to a few questions:

     My box cannot resolve the name "ike-v1.example.com" until
     after isc_named is started which happens way late in the bootup
     process. I've noticed that the rcctl manpage mentions changing
     the startup order.

        * Can I affect this change at all since isakmpd is a base
          system service and isc_named is in pkg_scripts?

     Just restarting isakmpd doesn't load /etc/ipsec.conf. Without a
     configuration, I'm not sure how useful isakmpd is.

        * Would it be wise to just add cron job that fires at reboot
          and uses rcctl to reload isakmpd and then reloads the ipsec
          configuration?

As always, it's possible that I'm completely missing something
here. I'm always interested in better solutions.

Thank you very much,
-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

Reply via email to