\begin{Howard Lowndes} > I am setting up Frees/wan IPSec tunnels between two sites that both have > dynamic IPs. > > I can get both sites to do a dynamic DNS update (both forward and reverse) > to a DNS server with a static IP before I need the tunnels to come up. > > At the left end, basically the listening end, I have no problems because I > use: > keyingretries=1 > left=%defaultroute > leftrsasigkey=%dns > [EMAIL PROTECTED] > right=%any > rightrsasigkey=%dns > [EMAIL PROTECTED] > auto=add > > At the right end, the sending end, I use what is essentially a Road > Warrior setting: > keyingretries=0 > leftrsasigkey=%dns > [EMAIL PROTECTED] > right=%defaultroute > rightrsasigkey=%dns > [EMAIL PROTECTED] > auto=start > > What I would like to put here is: > left=%dns > > It makes sense to me that that should work, after all it uses the DNS to > get the KEY record so why not the A record, but it is not valid. > > I was wondering if opportunistic keying might be the answer, but apart > from having difficulty understanding it, I am not sure if it is what I > want anyway. > > Any ideas?
it would simply be: left=left.domain.name.com wouldn't it? do you restart freeswan after each DNS update? freeswan converts everything into IP addresses at startup (including %defaultroute settings..), which is nasty for dynamic environments. i'd just use (x.509) certificates and: left=%any right=%defaultroute leftcert=Mycert.pem rightcert=Theircert.pem chucking *cert.pem into /etc/ipsec.d/ (ie: identify by certificate, and ignore DNS altogether) -- - Gus -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug