From: Aidas K. <a.k...@gm...> - 2004-02-06 11:48:54
|
Heiko, Could you please file RFE "connection between gateways with dynamic addresses" (it IS worth implementing) for long term solution. And for short term, may I suggest a workaraund - ping to another end and flush/recreate SPD when ping methodically fails. Script like this should do the trick (you may need to adjust constants, add other parameters to ping): # IP_AT_OTHER_END="10.10.10.10" i=0 for (( ; 1; )); do echo "pinging" ping -c 1 $IP_AT_OTHER_END > /dev/null 2>&1 if [ $? != 0 ]; then i=$(expr $i + 1); else i=0; fi if [ $i -gt 5 ]; then echo "Flushing and recreating SPD"; i=0 fi sleep 5; done Heiko Wagner wrote: > Hi Aidas Kasparas, > > your are surely right about the chicken-and-egg problem. It could solve this > by taking care that the two > gateways are always connected. The fakt is that my ISP 'kicks me out' afer > 24h but I can reestablish the connection immediately afterwards. This > normally happens during night where no one wants to access the VPN, so this > should be no problem. If racoon would be able to execute a script in the > case that the SA could not be established this would mean that at least one > gateway failed to connect to the internet. I would be able to write a script > that could send me an e-mail that "something wicked has happend" as Donald > Becker would say. ;-) A solution within racoon would be appreciated, but I > don't know if a situation like mine is that common that it makes sense to > implement the behaviour within racoon. I would be stisfied if I would be > able to solve my problem on my own. So I suggested a strategy being already > common for pppd as it also might help other situations. > > Regards > Heiko Wagner > > -----Original Message----- > From: Aidas Kasparas [mailto:a.k...@gm...] > Sent: Freitag, 6. Februar 2004 11:25 > To: Heiko Wagner > Cc: ips...@li... > Subject: Re: [Ipsec-tools-devel] Proposal for script hooks in racoon > > > Hi, Heiko, > > I understand (please correct me, if I'm wrong) you're reporting 2 issues: > 1) cleanup of generated (via racoon or scripts) policies is needed; > 2) setup of connections with peers, described via DNS name (which most > likely will be dynamic), is needed. > > Re (1), I'm working on more sofisticated generate_policy. It will track > policies it generates and will remove generated policies when they will > be no longer used [or peer will connect from different IP address]. You > may monitor work-on-generate-policy branch in CVS on how this work is > going on. > > Re (2), I'm affraid, there is chicken-and-egg problem. At present, you > have to have an entry in SPD for racoon to negotiate Phase1 SA with > peer. How would you solve this problem in the following scenario: > > Gw-A gets connected, registers in DDNS. Gw-B is down, and DDNS has stale > info about it. Link-up script finds IP addresses, generates SPD entries. > Then, Gw-B gets connected, registers in DDNS. Gw-B's link-up script > finds IP addresses and inserts correct SPD entries. But SPD@Gw-A has > incorect info about tunnel between net-A and net-B and therefore no > Phase2 connection is possible. How could you manage to change SPD@Gw-A > using hooks&scripts? > > Maybe this could be solved by adding code to racoon for situation like > this, by adding feature to conenct to some peers even there is no > request from kernel to setup SA. But I still need to find algorithm how > to do this. And I will be able to work on this only after new > generate-policy will be finished. > > Heiko Wagner wrote: > >>Hi ipsec developers, >> >>I have been using racoon in an road warrior scenario. I did set up one >>security gateway with a static ip and a second gateway using a dial up >>connection. Both operate in tunnel mode and connect two subnets. I managed >>to get everything working, except IPComp. I used the ability of pppd to >>execute a script when a new connection is established to modify the SPD on >>the road warrior according to the new ip assigned by the ISP. It would > > also > >>be desireable to make a similar configuration working between two dialup >>gateways. In order to achieve this it would be necessary to have option to >>use dns names instead of ip addresses. I am currently extracting the ip > > for > >>the road warrior from the interface configuration, it would be easily >>possible to change that script to obtain the address from a DNS. So if I > > had > >>a chance to clean up and reset the configuration in the case where the >>connection goes down and a new ip is assigned by the ISP a configuration >>could be made possible to work between two dial up gateways. So my idea >>would be to execute a script when racoon detects that a SA has expired and >>the tunnel is no longer usable. >> >>Regards >>Heiko Wagner >> >> >> >>------------------------------------------------------- >>The SF.Net email is sponsored by EclipseCon 2004 >>Premiere Conference on Open Tools Development and Integration >>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. >>http://www.eclipsecon.org/osdn >>_______________________________________________ >>Ipsec-tools-devel mailing list >>Ips...@li... >>https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > -- > Aidas Kasparas > IT administrator > GM Consult Group, UAB > -- Aidas Kasparas IT administrator GM Consult Group, UAB |