[strongSwan] Update route policy on changing IPs without ipsec restart

Hans-Kristian Bakke hkbakke at gmail.com
Fri Nov 4 08:36:07 CET 2016


I have two sites connected to each other where both sites have dynamic
addresses. With auto=route, dpdaction=clear/restart and gre-tunnel
established between the left/right subnets sending OSPF HELLO frequently
the tunnel have been very robust and instantly self healing if either end
goes down.

But a couple of days ago I got a new issue. The WAN IP on one of the sites
changed, and the installed route traps didn't fire as the IPs in the ipsec
policy now was wrong. This was with dpdaction=clear on both ends.

I have a couple of questions:

- Would dpdaction=restart look up the dyndns address again if this happens
while the tunnel is up?
- What if the IP-address changes after significant downtime somewhere in
the WAN-network, so long that dpd gives up (is that after 5 retries?)?
Is there some other way to update the installed route traps in the ipsec
policy or set some refreshinterval for DNS-lookup without ipsec restart,
which in this case would mean a separate script.

Hans-Kristian Bakke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161104/b494e868/attachment.html>

More information about the Users mailing list