ipsec.conf - specifying peer as a fqdn, possible?
Hello, i've been testing some vpn configurations with ipsecctl - ipsec.conf on 3.9-CURRENT (i386), a snapshot from March 30 2006. Is there a way to specify the peer as a fqdn in a ike esp rule? something like: ike dynamic esp from 10.150.150.2 to 192.168.1.0/24 peer vpn.example.com (dstid should probably be added) when using this, i get the following error: # ipsecctl -vnf ipsec.conf no IP address found for vpn.example.com I know the man page quite clearly says that all addresses in such a rule have to be specified in CIDR notation, but using a fqdn for the peer could be useful for setups in which the endpoint has a dynamic ip and uses something like dyndns to have a fqdn pointing at the right ip. Did I miss something obvious, or there are legitimate reasons for making this stuff ip addresses only? Thanks Jean
Re: ipsec.conf - specifying peer as a fqdn, possible?
On Tue, 4 Apr 2006 22:54:54 -0400, Jean Raby wrote: Hello, i've been testing some vpn configurations with ipsecctl - ipsec.conf on 3.9-CURRENT (i386), a snapshot from March 30 2006. Is there a way to specify the peer as a fqdn in a ike esp rule? something like: ike dynamic esp from 10.150.150.2 to 192.168.1.0/24 peer vpn.example.com (dstid should probably be added) when using this, i get the following error: # ipsecctl -vnf ipsec.conf no IP address found for vpn.example.com I know the man page quite clearly says that all addresses in such a rule have to be specified in CIDR notation, but using a fqdn for the peer could be useful for setups in which the endpoint has a dynamic ip and uses something like dyndns to have a fqdn pointing at the right ip. Did I miss something obvious, or there are legitimate reasons for making this stuff ip addresses only? I have a patch from Hans-Joerg Hoexer which should allow this but I cannot test it for a little while because my build machine is tied up with another task that has several days to run yet. Of course you'll have to run -current to use it. Meanwhile you can do what I did where one end of a connection was on a dynamic ip: Register the dynamic host with dydndns.com (f.q.d.n used here as a guide) Have ipsec.conf rules look like: ike esp from 10.99.99.0/24 to 172.16.99.0/24 peer 1.2.3.4 srcid static.example.com dstid f.q.d.n (for example. You'll need a full set at each end.) Then have a cron job at the static end that checks to see if the IP changes and if it does then have a script that rewrites ipsec.conf with the new peer IP and does ipsecctl -f /etc/ipsec.conf at the end. The script, of course, only needs to update the static end rules. That isn't really hard to do. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: ipsec.conf - specifying peer as a fqdn, possible?
Yup, sounds like a good workaround. Actually, both end points have dynamic ips so the script would have to get the peer's ip from the fqdn but that's not a problem. If you don't mind sending the patch my way, i'd like to see the diff, i tried to figure out how that stuff worked yesterday, but it was getting late... Thanks Jean On 4/4/06, Rod.. Whitworth [EMAIL PROTECTED] wrote: On Tue, 4 Apr 2006 22:54:54 -0400, Jean Raby wrote: Hello, i've been testing some vpn configurations with ipsecctl - ipsec.conf on 3.9-CURRENT (i386), a snapshot from March 30 2006. Is there a way to specify the peer as a fqdn in a ike esp rule? something like: ike dynamic esp from 10.150.150.2 to 192.168.1.0/24 peer vpn.example.com (dstid should probably be added) when using this, i get the following error: # ipsecctl -vnf ipsec.conf no IP address found for vpn.example.com I know the man page quite clearly says that all addresses in such a rule have to be specified in CIDR notation, but using a fqdn for the peer could be useful for setups in which the endpoint has a dynamic ip and uses something like dyndns to have a fqdn pointing at the right ip. Did I miss something obvious, or there are legitimate reasons for making this stuff ip addresses only? I have a patch from Hans-Joerg Hoexer which should allow this but I cannot test it for a little while because my build machine is tied up with another task that has several days to run yet. Of course you'll have to run -current to use it. Meanwhile you can do what I did where one end of a connection was on a dynamic ip: Register the dynamic host with dydndns.com (f.q.d.n used here as a guide) Have ipsec.conf rules look like: ike esp from 10.99.99.0/24 to 172.16.99.0/24 peer 1.2.3.4 srcid static.example.com dstid f.q.d.n (for example. You'll need a full set at each end.) Then have a cron job at the static end that checks to see if the IP changes and if it does then have a script that rewrites ipsec.conf with the new peer IP and does ipsecctl -f /etc/ipsec.conf at the end. The script, of course, only needs to update the static end rules. That isn't really hard to do. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.