Re: ipsec.conf ,routers and endpoints - third try
> firewall dual homed > network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) > virgin media router facing static nic address = 3.3.3.2 > (rfc1918/rfc6598) > virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) > virgin media dynamic wan address = 1.1.1.1 (internet-routable) > firewall default route = 3.3.3.3 > network_a default route = 5.5.5.4 your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. > hi stuart > thanks for your answer and advice, > i am working on a modified ddns update script to signal a restart of > isakmpd when the dynamic ip changes, will implement isakmpd else will > follow your suggestion and use openvpn for my net to net link, i had > already planned to use openvpn for my roadwarriors. > shadrock > > The problem is that when the address of one side changes, it's the *other* side that yo uneed to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... hi stuart having reread your first post on the subject, i now realize when the address of one side changes it's the*other* side that needs to update remote_gw in ipsec.conf and restart. i was considering each end running a script which used ping to check connectivity to the remote gateway like openvpn's method, if ping timed out then a dns hostname lookup would be used to resolve the ip, ipsec.conf would then be updated and restarted and an email sent to the manager of the network informing of the remote address change. this would be all scripted so there would be no need for me to get involved. shadrock
Re: ipsec.conf ,routers and endpoints - third try
On 2012-05-08, shadrock wrote: > hi stuart > thanks for your answer and advice, > i am working on a modified ddns update script to signal a restart of > isakmpd when the dynamic ip changes, will implement isakmpd else will > follow your suggestion and use openvpn for my net to net link, i had > already planned to use openvpn for my roadwarriors. > shadrock > > The problem is that when the address of one side changes, it's the *other* side that you need to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... (there is a 'static IP' option on VM business services but afaict they are just about as likely to change addresses on you as the standard service, just that they try and tell you about it beforehand).
Re: ipsec.conf ,routers and endpoints - third try
hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock
Re: ipsec.conf ,routers and endpoints - third try
On 2012-05-04, shadrock wrote: > firewall dual homed > network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) > virgin media router facing static nic address = 3.3.3.2 > (rfc1918/rfc6598) > virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) > virgin media dynamic wan address = 1.1.1.1 (internet-routable) > firewall default route = 3.3.3.3 > network_a default route = 5.5.5.4 So you have no static routable address on either side. This isn't going to work well with isakmpd, you really need a static address on at least one side to use it. DNS lookups are only done when the config is loaded so there's no way to automatically track changed addresses in isakmpd. If you can live with restarting things when the address changes then your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. OpenVPN might be better in this situation, see the 'float' option and/or http://openvpn.net/index.php/open-source/faq/77-server/299-can-openvpn-handle-the-situation-where-both-ends-of-the-connection-are-dynamic.html