\begin{Howard Lowndes}
> I am setting up Frees/wan IPSec tunnels between two sites that both have
> dynamic IPs.
>
> I can get both sites to do a dynamic DNS update (both forward and reverse)
> to a DNS server with a static IP before I need the tunnels to come up.
>
> At the left end, basically the listening end, I have no problems because I
> use:
> keyingretries=1
> left=%defaultroute
> leftrsasigkey=%dns
> [EMAIL PROTECTED]
> right=%any
> rightrsasigkey=%dns
> [EMAIL PROTECTED]
> auto=add
>
> At the right end, the sending end, I use what is essentially a Road
> Warrior setting:
> keyingretries=0
> leftrsasigkey=%dns
> [EMAIL PROTECTED]
> right=%defaultroute
> rightrsasigkey=%dns
> [EMAIL PROTECTED]
> auto=start
>
> What I would like to put here is:
> left=%dns
>
> It makes sense to me that that should work, after all it uses the DNS to
> get the KEY record so why not the A record, but it is not valid.
>
> I was wondering if opportunistic keying might be the answer, but apart
> from having difficulty understanding it, I am not sure if it is what I
> want anyway.
>
> Any ideas?
it would simply be:
left=left.domain.name.com
wouldn't it?
do you restart freeswan after each DNS update?
freeswan converts everything into IP addresses at startup (including
%defaultroute settings..), which is nasty for dynamic environments.
i'd just use (x.509) certificates and:
left=%any
right=%defaultroute
leftcert=Mycert.pem
rightcert=Theircert.pem
chucking *cert.pem into /etc/ipsec.d/
(ie: identify by certificate, and ignore DNS altogether)
--
- Gus
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
