Discussion:
[Openswan Users] ipsec.secrets for a host with a dynamic IP
Nick Howitt
2009-10-22 18:01:30 UTC
Permalink
Hi,

I have a dynamic (almost static) IP address with a tunnel I initiate to
another router. Currently my ipsec.sectrets reads:

myfqdn farfqdn : PSK "shared secret"

In the ipsec.conf I can use %defaultroute for left so if my IP changes
it always picks up the correct one. In ipsec.secrets I cannot see any
equivalent parameter so I use myfqdn instead. This means that if my IP
changes I have to wait for the change to ripple through the Dynamic DNS
system before I can reconnect the tunnel. An alternative would be to
write a script and make the script insert my IP into the ipsec.secrets
file. This is pretty inelegant. Is there any alternative or can
%defaultroute be made to work? I understand a script may still be needed
to monitor a change in my IP (or a tunnel drop) and reload ipsec
secrets, but that would be better than having to wait for the Dynamic
DNS system to catch up.

Thanks,

Nick
Nick Howitt
2009-10-22 18:02:20 UTC
Permalink
Hi,

I have a dynamic (almost static) IP address with a tunnel I initiate to
another router. Currently my ipsec.secrets reads:

myfqdn farfqdn : PSK "shared secret"

In the ipsec.conf I can use %defaultroute for left so if my IP changes
it always picks up the correct one. In ipsec.secrets I cannot see any
equivalent parameter so I use myfqdn instead. This means that if my IP
changes I have to wait for the change to ripple through the Dynamic DNS
system before I can reconnect the tunnel. An alternative would be to
write a script and make the script insert my IP into the ipsec.secrets
file. This is pretty inelegant. Is there any alternative or can
%defaultroute be made to work? I understand a script may still be needed
to monitor a change in my IP (or a tunnel drop) and reload
ipsec.secrets, but that would be better than having to wait for the
Dynamic DNS system to catch up.

Thanks,

Nick
Paul Wouters
2009-10-22 18:11:29 UTC
Permalink
Post by Nick Howitt
I have a dynamic (almost static) IP address with a tunnel I initiate to
myfqdn farfqdn : PSK "shared secret"
In the ipsec.conf I can use %defaultroute for left so if my IP changes
it always picks up the correct one. In ipsec.secrets I cannot see any
equivalent parameter so I use myfqdn instead.
%any (or 0.0.0.0)

Paul
Nick Howitt
2009-10-22 18:21:46 UTC
Permalink
Yes. resumably that will match the secret only for farfqdn like:

%any farfqdn : PSK "shared secret"

I was wondering if I could be more specific for my IP. Practically
speaking, if it worked, would there be any difference between:

%defaultroute farfqdn : PSK "shared secret"

and

%any farfqdn : PSK "shared secret"

Nick
Post by Paul Wouters
Post by Nick Howitt
I have a dynamic (almost static) IP address with a tunnel I initiate to
myfqdn farfqdn : PSK "shared secret"
In the ipsec.conf I can use %defaultroute for left so if my IP changes
it always picks up the correct one. In ipsec.secrets I cannot see any
equivalent parameter so I use myfqdn instead.
%any (or 0.0.0.0)
Paul
Paul Wouters
2009-10-22 22:14:04 UTC
Permalink
Post by Nick Howitt
%any farfqdn : PSK "shared secret"
I was wondering if I could be more specific for my IP. Practically speaking,
%defaultroute farfqdn : PSK "shared secret"
and
%any farfqdn : PSK "shared secret"
What would the point be? I assume that fawfdqn is unique anyway, so narrowing
it down does not get you anything?

Paul
Nick Howitt
2009-10-23 13:13:16 UTC
Permalink
Changing to:

%any farFQDN : PSK "shared secret"

is giving a small issue. I have a second incoming vpn from a router on a
dynamic IP, so my ipsec.secrets file now reads:

: PSK "Dial-In secret"
%any farFQDN : PSK "shared secret"

and now when the router on a dynamic IP renegotiates I am seeing in my
log file:

multiple ipsec.secrets entries with distinct secrets match endpoints:
first secret used

If I reverse the order of the secrets file, the router with the dynamic
IP cannot connect with:

probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet payload malformed after IV

If I change to:

: PSK "Dial-In secret"
farFQDN : PSK "shared secret"

With the lines in either order, the dynamic IP router connects fine, but
the static one fails to negotiate Main Mode with:

discarding duplicate packet; already STATE_MAIN_I3
"MumOut" #515: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure:

It seems like a %defaultroute type of solution would get round this.

As a separate question, for the router at farFQDN, if it changes IP, do
I have to reload the secrets file or will farFQDN be internally
re-evaluated as Openswan attempts to renegotiate the connection?

Regards,

Nick
Post by Nick Howitt
%any farfqdn : PSK "shared secret"
I was wondering if I could be more specific for my IP. Practically
%defaultroute farfqdn : PSK "shared secret"
and
%any farfqdn : PSK "shared secret"
Nick
Post by Paul Wouters
Post by Nick Howitt
I have a dynamic (almost static) IP address with a tunnel I initiate to
myfqdn farfqdn : PSK "shared secret"
In the ipsec.conf I can use %defaultroute for left so if my IP changes
it always picks up the correct one. In ipsec.secrets I cannot see any
equivalent parameter so I use myfqdn instead.
%any (or 0.0.0.0)
Paul
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Loading...