On 11/12/2015 19:19, Paul Wouters
wrote:
On Thu, 10 Dec 2015, Tony Whyman wrote:
The thread on converting from Openswan to
Libreswan reminded me of the following script that I have added
to all my Ubuntu systems which use DHCP rather than static IP
addresses. The script is installed as:
/etc/network/if-up.d/ipsec
and seems to be necessary for pluto to recognise a change to the
local IP Address.
That's a rather blunt hammer. You should replace that with only:
ipsec whack --listen
have such a script. I started installing
this script with Openswan and it still seems necessary with
Libreswan (1.15). Without it there seems to be a race condition
on startup with pluto sometimes failing to pick the external
interface, especially if DHCP is a bit slow. The script is
essential when I am using a Laptop and moving between WiFi
networks.
There is a bit of history behind this. Originally, pluto's design
was
not meant to gain or lose IP addresses on the fly. However, the
world
changes and this now happens for everyone. pluto should be
extended to
deal with this. In a NetworkManager world, NM can send a notify
that
pluto could act on. But it might be easier and more generic for
pluto
to monitor for networking changes itself.
Note that pluto "orients" connections to determine if it is "left"
or
"right" when the connection loads. So a network change might
require
re-orienting connections. That's fine for connections loaded and
not
up. What to do with active tunnels is more tricky.
But aren't the active tunnels de facto dead as the far end at that
point is still trying to communicate to the old IP address and may
even have to wait for DNS propagation to be able to reconnect?
to see which interfaces pluto is listening
on. Then connect the network and once the IP Address is
assigned, run the above again. Without the script there is no
change to the interfaces that pluto is listening on. With the
script - pluto will have picked up the new IP Address. It's a
pity a full restart is necessary but I can't seem to find any
other way to get pluto to update its attachments.
I guess you should look at what event triggers when DHCP
completes, and
cause that event to run "ipsec whack --listen".
Have a look at /etc/dhcp/dhclient-exit-hooks. The only thing is,
when I tried using it in a very basic way, it triggered every time
the lease was renewed. There may be options only to trigger on IP
change. I stopped looking at that point as my "dynamic IP" is
virtually static and has not changed in over a year now.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
|
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
