Hi everybody
Using ipsec on a couple of firewalls with dynamic IPs (PPPoE or DHCP), we
have noticed that the running ipsec sometime prevents the interface from
getting a new address, and ipsec will never be configured correctly for the
new IP address.
Our solution: stop and start ipsec when the IP addresses change. Ipsec is
not startet automatically:
*********For ADSL (PPPoE), I have the following scripts:
----------- /etc/ppp/ip-down.d/ipsec_stop -----------
#!/bin/sh
/etc/init.d/ipsec stop
----------- /etc/ppp/ip-up.d/ipsec_start -----------
#!/bin/sh
/etc/init.d/ipsec start
*********For dhcpcd.lrp we use the following dhcpcd.exe:
----------- /etc/dhcpc/dhcpcd.exe -------------------
#!/bin/sh
STATUS=$2 #up down or new
case $STATUS in
down) #Lost my IP address
/etc/init.d/ipsec stop
;;
new) #New IP address
/etc/init.d/ipsec stop
mv /etc/resolv.conf /etc/resolv.conf.mc.sv
cp /var/log/resolv.conf.mc /etc/resolv.conf
/etc/init.d/ipsec start
/etc/init.d/ez-ipupd start
;;
up) #same address renewed, might work without action,
mv /etc/resolv.conf /etc/resolv.conf.mc.sv
cp /var/log/resolv.conf.mc /etc/resolv.conf
#or might need a restart as well
esac
-----SNIP-----
Ipsec defines routes based on the current IP address, and adds itself to an
interface. If the interface loses its address, the ipsec scripts controlling
the routes are not started again.
Hope this helps
Alex
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
