From 7b0305f59ddab9ea026b202a8c569912e5bf9a90 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 4 Jul 2007 23:47:20 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.1.4)

---
 testing/tests/ikev1/dynamic-responder/description.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 testing/tests/ikev1/dynamic-responder/description.txt

(limited to 'testing/tests/ikev1/dynamic-responder/description.txt')

diff --git a/testing/tests/ikev1/dynamic-responder/description.txt b/testing/tests/ikev1/dynamic-responder/description.txt
new file mode 100644
index 000000000..76471a973
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/description.txt
@@ -0,0 +1,13 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
+the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
+<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
+to and from <b>carol</b> and starting the connection from host <b>dave</b> using
+<b>carol</b>'s identity). 
-- 
cgit v1.2.3