[strongSwan] S2S VPN with dynamic DNS
Dusan Ilic
dusan at comhem.se
Wed Jun 14 15:23:57 CEST 2017
Hi,
I have a S2S IPsec tunnel setup that have problems now when one side of
the tunnel have been assigned a new public IP. The hostname used have
been immediately updated by way od dynamic DNS, and the TTL have expired
two hours ago. When trying to up the tunnel on the side with the changed
IP, Strongswan returns "received AUTHENTICATION_FAILED notify error",
and when trying to do the same on the remote end the log looks like
following.
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 94.254.123.x[500] to 85.24.242.x[500]
received packet: from 85.24.242.x[500] to 94.254.123.x[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received 1 cert requests for an unknown ca
authentication of 'hostname' (myself) with pre-shared key
no shared key found for 'hostname' - '*85.24.240.x*'
Now as you can see the packets are sent to the correct host (domain is
correctly resolved), however on the last line it's the old IP. What's
happening here? I have tried restartin Strongswan on both hosts, but it
doesn't help.
This is the first time since I setup the tunnel with dynamic DNS that
one side of the tunnel have changed IP, how can I make either side of
the tunnel to continue reconnecting until the hostname is properly
resolving again?
I have another tunnel going to the same client, and it have succesfully
reconnected again after it picked up the new IP. The client is a
Fortigate router. So, how can I force Strongswan to retry ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170614/2f3cc3aa/attachment.html>
More information about the Users
mailing list