From: Aidas K. <a.k...@gm...> - 2004-02-06 10:25:27
|
Hi, Heiko, I understand (please correct me, if I'm wrong) you're reporting 2 issues: 1) cleanup of generated (via racoon or scripts) policies is needed; 2) setup of connections with peers, described via DNS name (which most likely will be dynamic), is needed. Re (1), I'm working on more sofisticated generate_policy. It will track policies it generates and will remove generated policies when they will be no longer used [or peer will connect from different IP address]. You may monitor work-on-generate-policy branch in CVS on how this work is going on. Re (2), I'm affraid, there is chicken-and-egg problem. At present, you have to have an entry in SPD for racoon to negotiate Phase1 SA with peer. How would you solve this problem in the following scenario: Gw-A gets connected, registers in DDNS. Gw-B is down, and DDNS has stale info about it. Link-up script finds IP addresses, generates SPD entries. Then, Gw-B gets connected, registers in DDNS. Gw-B's link-up script finds IP addresses and inserts correct SPD entries. But SPD@Gw-A has incorect info about tunnel between net-A and net-B and therefore no Phase2 connection is possible. How could you manage to change SPD@Gw-A using hooks&scripts? Maybe this could be solved by adding code to racoon for situation like this, by adding feature to conenct to some peers even there is no request from kernel to setup SA. But I still need to find algorithm how to do this. And I will be able to work on this only after new generate-policy will be finished. Heiko Wagner wrote: > Hi ipsec developers, > > I have been using racoon in an road warrior scenario. I did set up one > security gateway with a static ip and a second gateway using a dial up > connection. Both operate in tunnel mode and connect two subnets. I managed > to get everything working, except IPComp. I used the ability of pppd to > execute a script when a new connection is established to modify the SPD on > the road warrior according to the new ip assigned by the ISP. It would also > be desireable to make a similar configuration working between two dialup > gateways. In order to achieve this it would be necessary to have option to > use dns names instead of ip addresses. I am currently extracting the ip for > the road warrior from the interface configuration, it would be easily > possible to change that script to obtain the address from a DNS. So if I had > a chance to clean up and reset the configuration in the case where the > connection goes down and a new ip is assigned by the ISP a configuration > could be made possible to work between two dial up gateways. So my idea > would be to execute a script when racoon detects that a SA has expired and > the tunnel is no longer usable. > > Regards > Heiko Wagner > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel -- Aidas Kasparas IT administrator GM Consult Group, UAB |