diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-03-22 10:06:21 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-03-22 10:06:21 +0000 |
commit | 7b88a5ce44f52abb13390c6c105bdd58a590a626 (patch) | |
tree | abfb7e16a76d3d65af2c809c949b747a874e33fd /testing/tests/ikev1/dpd-restart/description.txt | |
parent | 3c810543672b76a7c9b871420866f822f8b067d8 (diff) | |
download | vyos-strongswan-7b88a5ce44f52abb13390c6c105bdd58a590a626.tar.gz vyos-strongswan-7b88a5ce44f52abb13390c6c105bdd58a590a626.zip |
- New upstream version.
Diffstat (limited to 'testing/tests/ikev1/dpd-restart/description.txt')
-rw-r--r-- | testing/tests/ikev1/dpd-restart/description.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt new file mode 100644 index 000000000..0a309cf52 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -0,0 +1,13 @@ +The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end +is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the +fully-qualified hostname into the current IP address via a DNS lookup (simulated by an +/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option +<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary +IP address under the condition that the peer identity remains unchanged. When this happens +the old tunnel is replaced by an IPsec connection to the new origin. +<p> +In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time +the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic). +<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to +reconnect. After a few seconds the firewall is opened again and the connection is +reestablished. |