diff options
Diffstat (limited to 'testing/tests/ikev1/dpd-restart/description.txt')
| -rw-r--r-- | testing/tests/ikev1/dpd-restart/description.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt new file mode 100644 index 000000000..0a309cf52 --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -0,0 +1,13 @@ +The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end +is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the +fully-qualified hostname into the current IP address via a DNS lookup (simulated by an +/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option +<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary +IP address under the condition that the peer identity remains unchanged. When this happens +the old tunnel is replaced by an IPsec connection to the new origin. +<p> +In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time +the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic). +<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to +reconnect. After a few seconds the firewall is opened again and the connection is +reestablished. |