On Sun, May 13, 2012 at 11:58:42PM +0200, Mirko Parthey wrote: > With the dual configuration you proposed (specific host + %any), > Charon can start up an IKE SA when only one side has correct DNS > information, and it is not necessary to know beforehand which side this > is. > > I'll use this setup for real now, and report back in case of problems.
Hi Tobias, it turns out this doesn't work well yet when the DNS server is unreachable during connection startup. charon log from sun: ... May 25 00:44:12 13[CFG] added configuration 'net-net' May 25 00:44:12 15[CFG] received stroke: initiate 'net-net' May 25 00:44:12 15[MGR] checkout IKE_SA by config May 25 00:44:12 15[MGR] created IKE_SA (unnamed)[1] May 25 00:44:12 15[LIB] resolving 'moon.ipsec' failed: Name or service not known May 25 00:44:12 15[IKE] unable to initiate to %any May 25 00:44:12 15[MGR] checkin and destroy IKE_SA net-net[1] May 25 00:44:12 15[MGR] tried to check-in and delete nonexisting IKE_SA May 25 00:44:12 15[IKE] IKE_SA net-net[1] state change: CREATED => DESTROYING ... No further retries are done, net-net stays down. This differs from an unreachable peer with working name resolution, where IKE_SA_INIT is retried as desired. If I understand this correctly, a failed DNS query is treated the same as a peer address of %any in ipsec.conf. In the latter case, retrying is not useful, but for a failed DNS query, it were. Would it be an option to proceed in spite of the missing peer IP address, and do the name resolution later, so it can be retried? Regards, Mirko _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
