blob: 0a309cf52ef84be92429a9529f3a300c949eb97e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
|
The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
IP address under the condition that the peer identity remains unchanged. When this happens
the old tunnel is replaced by an IPsec connection to the new origin.
<p>
In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic).
<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to
reconnect. After a few seconds the firewall is opened again and the connection is
reestablished.
|
