Re: [Ipsec-tools-devel] Proposal for script hooks in racoon

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi, Heiko,

	I understand (please correct me, if I'm wrong) you're reporting 2 issues:
	1) cleanup of generated (via racoon or scripts) policies is needed;
	2) setup of connections with peers, described via DNS name (which most 
likely will be dynamic), is needed.

	Re (1), I'm working on more sofisticated generate_policy. It will track 
policies it generates and will remove generated policies when they will 
be no longer used [or peer will connect from different IP address]. You 
may monitor work-on-generate-policy branch in CVS on how this work is 
going on.

	Re (2), I'm affraid, there is chicken-and-egg problem. At present, you 
have to have an entry in SPD for racoon to negotiate Phase1 SA with 
peer. How would you solve this problem in the following scenario:

Gw-A gets connected, registers in DDNS. Gw-B is down, and DDNS has stale 
info about it. Link-up script finds IP addresses, generates SPD entries. 
Then, Gw-B gets connected, registers in DDNS. Gw-B's link-up script 
finds IP addresses and inserts correct SPD entries. But SPD@Gw-A has 
incorect info about tunnel between net-A and net-B and therefore no 
Phase2 connection is possible. How could you manage to change SPD@Gw-A 
using hooks&scripts?

	Maybe this could be solved by adding code to racoon for situation like 
this, by adding feature to conenct to some peers even there is no 
request from kernel to setup SA. But I still need to find algorithm how 
to do this. And I will be able to work on this only after new 
generate-policy will be finished.

Heiko Wagner wrote:
> Hi ipsec developers,
> 
> I have been using racoon in an road warrior scenario. I did set up one
> security gateway with a static ip and a second gateway using a dial up
> connection. Both operate in tunnel mode and connect two subnets. I managed
> to get everything working, except IPComp. I used the ability of pppd to
> execute a script when a new connection is established to modify the SPD on
> the road warrior according to the new ip assigned by the ISP. It would also
> be desireable to make a similar configuration working between two dialup
> gateways. In order to achieve this it would be necessary to have option to
> use dns names instead of ip addresses. I am currently extracting the ip for
> the road warrior from the interface configuration, it would be easily
> possible to change that script to obtain the address from a DNS. So if I had
> a chance to clean up and reset the configuration in the case where the
> connection goes down and a new ip is assigned by the ISP a configuration
> could be made possible to work between two dial up gateways. So my idea
> would be to execute a script when racoon detects that a SA has expired and
> the tunnel is no longer usable.
> 
> Regards
> Heiko Wagner
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel

-- 
Aidas Kasparas
IT administrator
GM Consult Group, UAB