Peter Daum wrote: > B is a Bintec VPN25 router with a dynamic address published via DynDNS.
> A tries to bring the tunnel up. However, A fails since it tries to connect to > the OLD IP address. A ping from A to B shows that name resolution works > perfectly. So A seems to cache the old IP address within strongSwan and does > not update it. > Why does strongSwan not recognize the new address? The only thing which helps > is a ipsec update. This is not feasible as I would have to have a script in > place monitoring the connections, recognizing the tunnel went down and > issuing a ipsec update (albeit not too early). Hi Peter, there's this tool called starter. It reads the config file, resolves the DNS name into an IP address and provides the connection definition including the IP address to pluto. pluto is the IKEv1 daemon. IMHO, it only deals with IP addresses. It does neither store nor resolve the DNS name of the peer. Only if you run "ipsec update", the tool starter kicks in again, performs a fresh DNS lookup and provides the altered connection definition to pluto. I can think of three different solutions: 1. Tweak pluto so that it saves FQDNs instead of IP addresses and performs a new DNS lookup after it declared its peer dead. This would result in a rather large modification of pluto. 2. Configure strongSwan to respond to setup requests but not to initiate connections. Can you configure the Bintec router in a way that it re-initiates the IPsec connection everytime it reboots? Does it support DPD? The Bintec router should basically keep the connection permanently open. 3. Follow Gerd's recommendation and make use of "ipsec starter --auto-update <seconds>". But I personally don't like this solution because it hammers the DNS server. Plus the update of the IP address might be delayed for up to <seconds>. Btw, can you recommend Bintec's VPN25 router? Does it support NAT-T (NAT traversal), DPD and certificate based authentication? I recently evaluated a Netgear FVS318 v3 and I got disappointed. It does not support NAT-T. The support for X.509 certificates is bad (you cannot import private keys) plus the whole firmware crashes when I try to connect to strongSwan. -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
