We are using 3.15 currently on CentOS6 and working on Libre-Libre connections.
We have a nice simple working setup with PSK that works well with static IPs. The problems occur with a Dynamic 'Client/Host' I know this is not a favoured solution but..... We have noticed two apparent issues. First is matching identities. I have tried a variety of combinations of DPD actions/Timeouts etc and things like right=%any rightid=remote.dyndns.org [email protected] (and with leftid too) All to no avail. It seems the ID from the Dynamic host does not match the secret but I can't for the life of me see how to do this so the Dynamic host sends an ID that the Static recognises. Any suggestions on what I am doing wrong ? I am sure it is dead simple but I have run out of ideas. Current configs working once both ends are up and ipsec is started both ends. conn StaticToDynamic type=tunnel authby=secret auto=add ike=aes-sha1 phase2alg=aes-sha1 ikelifetime=3600s salifetime=28800s pfs=yes left=%defaultroute leftsourceip=192.168.90.1 leftsubnet=192.168.90.0/24 rightsubnet=192.168.20.0/24 right=remote.dyndns.org conn DynamicToStatic type=tunnel authby=secret auto=start ike=aes-sha1 phase2alg=aes-sha1 ikelifetime=3600s salifetime=28800s pfs=yes left=%defaultroute leftsourceip=192.168.20.1 leftsubnet=192.168.20.0/24 rightsubnet=192.168.90.0/24 right=1.2.3.4 (Static host IP) Secrets : On static : # StaticToDynamic is enabled 1.2.3.4 remote.dyndns.org : PSK "SomeLongAndComplicatedPassword" On dynamic if we use this it works once the new IP is established : # DynamicToStatic is enabled {current.dynamic.ip} 1.2.3.4 : PSK "SomeLongAndComplicatedPassword" If we use this with the domain name it does not work at all # DynamicToStatic is enabled remote.dyndns.org 1.2.3.4 : PSK "SomeLongAndComplicatedPassword" This works on Static once the new IP is established : # StaticToDynamic is enabled 1.2.3.4 %any : PSK "SomeLongAndComplicatedPassword" Obviously %any is not so cool ! I am probably going to modify my script so that Dynamic clients HAVE to use a minimum of rsasigs, but I'd like to know what we are doing right or wrong. Second issue seems to be when the Dynamic host renews it's IP this never seems to be picked up by the Static host without a restart of ipsec on the Static host, and a restart of ipsec on the Dynamic. We also noted that if the Dynamic client comes up it tries to connect several times and then just stops trying - or at least the Static hosts sees no more attempts. keyringtries is set at 0 (left at default) so I would think it would keep hammering away, but apparently not, and Dynamic needs a restart to get it to go again ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; Sequence we had to use to get it to work Dynamic client up Static host wait for new IP Next two can be swapped... Static : ipsec auto --replace StaticToDynamic (once the new IP was recognised in DNS) Dynamic : ipsec restart We've tried what feels like a million permutations on this ! Any other suggestions please ? B. Rgds John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
