[strongSwan] IPSec on mobile connection with dynamic ip.

Martin Willi martin at strongswan.org
Thu Jul 22 08:02:23 CEST 2010


> Since, we've seen sort of a similar issue reported before

On-demand DNS resolution won't help in this situation; the problem is a
little different.

> Would you think that resolving the hostnames for both ends on dpd
> restart might be worth trying or are there any drawbacks to this?

charon does not resolve hostnames before it actually uses the addresses.
But the starter used with ipsec.conf based configurations is somewhat
overzealous and passes already resolved addresses to the daemons.

Passing unresolved addresses from starter to charon should be doable,
I'll consider it for 4.4.2. But implementing it properly for pluto is a
completely different story. I'm not a pluto expert, but I think it is
not that easy.

Regards
Martin





More information about the Users mailing list