[strongSwan-dev] support for {left,right}allowany in charon?
Mirko Parthey
mirko.parthey at informatik.tu-chemnitz.de
Fri May 25 02:44:54 CEST 2012
On Sun, May 13, 2012 at 11:58:42PM +0200, Mirko Parthey wrote:
> With the dual configuration you proposed (specific host + %any),
> Charon can start up an IKE SA when only one side has correct DNS
> information, and it is not necessary to know beforehand which side this
> is.
>
> I'll use this setup for real now, and report back in case of problems.
Hi Tobias,
it turns out this doesn't work well yet when the DNS server is
unreachable during connection startup.
charon log from sun:
...
May 25 00:44:12 13[CFG] added configuration 'net-net'
May 25 00:44:12 15[CFG] received stroke: initiate 'net-net'
May 25 00:44:12 15[MGR] checkout IKE_SA by config
May 25 00:44:12 15[MGR] created IKE_SA (unnamed)[1]
May 25 00:44:12 15[LIB] resolving 'moon.ipsec' failed: Name or service not known
May 25 00:44:12 15[IKE] unable to initiate to %any
May 25 00:44:12 15[MGR] checkin and destroy IKE_SA net-net[1]
May 25 00:44:12 15[MGR] tried to check-in and delete nonexisting IKE_SA
May 25 00:44:12 15[IKE] IKE_SA net-net[1] state change: CREATED => DESTROYING
...
No further retries are done, net-net stays down.
This differs from an unreachable peer with working name resolution,
where IKE_SA_INIT is retried as desired.
If I understand this correctly, a failed DNS query is treated the same
as a peer address of %any in ipsec.conf. In the latter case, retrying
is not useful, but for a failed DNS query, it were.
Would it be an option to proceed in spite of the missing peer IP
address, and do the name resolution later, so it can be retried?
Regards,
Mirko
More information about the Dev
mailing list