Per my earlier post I'm trying to debug an IPSec Tunnel between two
Soekris boxes running OpenBSD 4.5. One side of the connection has
static IP, the other is a DSL connection and uses dynamic IP. When the
IP address changes the tunnel drops and the only way I've come up with
to restore it is to log into the remote side and do the following
shell commands:
# kill $(cat /var/run/isakmpd.pid)
# /sbin/isakmpd -K
# /sbin/ipsecctl -f /etc/ipsec.conf
I just spent an hour working on the remote side and I've come up with
more information on the problem. Particularly with isakmpd
My /etc/ipsec.conf looks like this:
my_fqdn="myfqdn.example.com"
my_ip="1.2.3.4"
my_network="192.168.64.0/24"
remote_fqdn="remotefqdn.example.com"
remote_ip="5.6.7.8"
remote_network="192.168.65.0/24"
ike dynamic esp from { $my_ip $my_network} \
to { $remote_fqdn $remote_network} \
local $my_ip peer $remote_fqdn \
srcid $my_fqdn dstid $remote_fqdn
ike dynamic esp from $my_ip to $remote_fqdn \
local $my_ip peer $remote_fqdn \
srcid $my_fqdn dstid $remote_fqdn
Through dhclient-script and dhclient-exit-hooks I'm able to do this:
# ipsecctl -F -D my_ip=${new_ip_address} -f /etc/ipsec.conf
At the time that dhclient changes my IP address but, this doesn't
work. Isakmpd complains thusly:
Aug 29 16:19:53 stompbox isakmpd[14934]: udp_create: 1.2.3.4:500 must
exist as a listener too
Aug 29 16:19:53 stompbox isakmpd[14934]: exchange_establish: transport
"udp" for peer "peer-5.6.7.8-local-1.2.3.4" could not be created
I believe these messages are cause by the first call to isakmpd which
happens before I know what IP address I have.
If I could get this piece of things to work I think that could solve
the rest of my problems by just running ddclient as a daemon with a
timeout of 5 minutes.
Again, Thanks for any assistance
-- Chris
P.S. my earlier post is below.
On Aug 29, 2009, at 2:09 PM, Christopher Hilton wrote:
I'm having Dynamic IP issues with dhclient, ddclient, and isakmpd,
on OpenBSD running on a Soekris net4511 as a residential gateway. My
connection is a consumer grade AT&T DSL line. My IP address changes
an average of once every 18 hours but that is not set. I have an
IPSEC tunnel configured using certificates and FQDN identifiers
between the Soekris and another OpenBSD box in my basement on a
static IP connection. This whole setup works as follows: The Soekris
get's its external IP via dhclient. Ddclient updates this address at
DynDNS.com and isakmpd should then follow by establishing the
tunnel. All of this works great on boot. When the external IP get's
changed by AT&T, isakmpd fails because it continues to use the old
IP address for the IKE exchange. I can restore the tunnel with the
following shell commands:
# kill $(cat /var/run/isakmpd.pid)
# /usr/sbin/isakmpd -K
# /usr/sbin/ipsecctl -F -f /etc/ipsec.conf
Shouldn't the ipsec tunnel get restored by just the third command?
Things that I've tried. I've changed the dhclient-script to one that
calls enter and exit hooks like the stock ISC dhclient does and I've
added a little bit of scripting there to capture the IP address
change event but when I add the call to do the updates within this
script dhclient fails and dies. I'm inclined to believe that this is
a timeout issue since the exact same modifications work on a Soekris
Net5501. The only differences that I can see between the two of them
are that ddclient takes about 8 ~ 10 seconds on the Net4511 and
about 1.5 seconds on the Net5501.
I've also tried running sshd on the box and having it available so I
could just log in and manage the transition on my own but that seems
to fail also. Do I need to restart pf after an address change on my
external interface?
Thanks for any help
-- Chris
