Re: [Swan] Libreswan and DHCP

Fri, 11 Dec 2015 11:20:07 -0800 

On Thu, 10 Dec 2015, Tony Whyman wrote:
The thread on converting from Openswan to Libreswan reminded me of the following script that I have added to all my Ubuntu systems which use DHCP rather than static IP addresses. The script is installed as: 

/etc/network/if-up.d/ipsec


and seems to be necessary for pluto to recognise a change to the local IP 
Address.


That's a rather blunt hammer. You should replace that with only:

        ipsec whack --listen


have such a script. I started installing this script with Openswan and it 
still seems necessary with Libreswan (1.15). Without it there seems to be a 
race condition on startup with pluto sometimes failing to pick the external 
interface, especially if DHCP is a bit slow. The script is essential when I 
am using a Laptop and moving between WiFi networks.


There is a bit of history behind this. Originally, pluto's design was
not meant to gain or lose IP addresses on the fly. However, the world
changes and this now happens for everyone. pluto should be extended to
deal with this. In a NetworkManager world, NM can send a notify that
pluto could act on. But it might be easier and more generic for pluto
to monitor for networking changes itself.

Note that pluto "orients" connections to determine if it is "left" or
"right" when the connection loads. So a network change might require
re-orienting connections. That's fine for connections loaded and not
up. What to do with active tunnels is more tricky.


to see which interfaces pluto is listening on. Then connect the network and 
once the IP Address is assigned, run the above again. Without the script 
there is no change to the interfaces that pluto is listening on. With the 
script - pluto will have picked up the new IP Address. It's a pity a full 
restart is necessary but I can't seem to find any other way to get pluto to 
update its attachments.


I guess you should look at what event triggers when DHCP completes, and
cause that event to run "ipsec whack --listen".

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to