Hi, In case of IKEv1 (using strongswan 4.3.5), the connection structure is uploaded to Pluto with IP-address of the FQDN (right-id). However if ip-address changes for the FQDN, could you please tell me how is it reflected back to the connection structure already uploaded to Pluto? One of the scenarios is DPD where SA could go down due to change in peer IP address. In this case, how will Pluto resolve the FQDN to get the new (changed) IP address?? Does it happen on the fly??
Regards, Shashank -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Thursday, December 24, 2009 12:12 PM To: N, SHASHANK (SHASHANK) Cc: [email protected] Subject: Re: [strongSwan-dev] DNS resolution Hi Shashank, strongSwan uses a Linux system call to resolve FQDNs in "right". The IKEv1 pluto daemon relies on ipsec starter to resolve any hostnames before the connection data is uploaded to the daemon via the whack interface whereas the IKEv2 charon daemon receives the FQDN as a string via the stroke interface and does name resolution on the fly shortly before actually negotiating the IPsec tunnel. The name servers are configured in /etc/resolv.conf either statically or via NetworkManager. Using the leftsourceip=%config setting triggers a virtual IP address/DNS request via the IKEv2 Configuration Payload and the additional internal name servers that are delivered by the VPN server are automatically added to /etc/resolv.conf either via the default resolve plugin or via the nm NetworkManager plugin if using the strongSwan NetworkManager Applet. When the VPN connection goes down, these internal servers are removed again and only the external or servers remain in /etc/resolv.conf. Kind regards Andreas _____________________________________________ From: N, SHASHANK (SHASHANK) Sent: Thursday, December 24, 2009 10:20 AM To: '[email protected]' Subject: DNS resolution Hi, In strongswan 4.3 if I give an FQDN for “right”, how will the DNS resolution happen? Does it have an inbuilt DNS client? If yes, then how to configure name-servers? Any help on this is greatly appreciated. Thanks and Regards, Shashank
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
