From 7b0305f59ddab9ea026b202a8c569912e5bf9a90 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Wed, 4 Jul 2007 23:47:20 +0000
Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.1.4)

---
 testing/tests/ikev1/dynamic-two-peers/description.txt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 testing/tests/ikev1/dynamic-two-peers/description.txt

(limited to 'testing/tests/ikev1/dynamic-two-peers/description.txt')

diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt
new file mode 100644
index 000000000..56a1c0754
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/description.txt
@@ -0,0 +1,15 @@
+The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
+The ipsec starter resolves the fully-qualified hostname into the current IP address
+via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE
+main mode rekeying to arrive from an arbitrary IP address under the condition that
+the peer identity remains unchanged. When this happens the old tunnel is replaced
+by an IPsec connection to the new origin.
+<p>
+In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
+<b>moon</b> which has a named connection definition for each peer. Although
+the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
+
-- 
cgit v1.2.3