diff options
Diffstat (limited to 'testing/tests/ikev2/dynamic-initiator/description.txt')
| -rw-r--r-- | testing/tests/ikev2/dynamic-initiator/description.txt | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt index e74ee1569..3e441b2fe 100644 --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end -is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the +is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary +<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin. <p> In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b> suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from -<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). +<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). |