[strongSwan] IPSec on mobile connection with dynamic ip.
Mohit Mehta
mohit.mehta at vyatta.com
Wed Jul 21 19:41:52 CEST 2010
Hi Martin,
Since, we've seen sort of a similar issue reported before - http://www.mail-archive.com/users@lists.strongswan.org/msg02166.html [although that one is while using pluto], Would you think that resolving the hostnames for both ends on dpd restart might be worth trying or are there any drawbacks to this?
Mohit
----- Original Message -----
> > after ipsec update tunnel was established but did not work (old
> > polices ?)
>
> Probably yes.
>
> > 22:43:38 01[IKE] no route found to reach 217.29.8.1, MOBIKE update
> > deferred
> > 22:44:05 14[IKE] sending DPD request
>
> This is a little unlucky: before MOBIKE finds a route, a DPD check is
> enforced and tries hard to find the peer over the old address.
>
> We currently do not suspend DPD checks, and this shortcoming prevents
> the MOBIKE update to start. Maybe I find a way to delay DPD and
> rekeying tasks, but it's not trivial to implement.
>
> I'd try to increase the DPD timeout, or disable it completely.
>
> Regards
> Martin
>
>
> _______________________________________________ Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list