From: Ken Bantoft (ken_at_freeswan.ca)
Date: Thu Oct 31 2002 - 19:48:11 CET
On 31 Oct 2002, Fraser Campbell wrote:
> We have a multi-homed FreeS/WAN hub to which 20-30 remote offices will be
> connecting. Our tunnels use a right=vpn.xxxx.com parameter.
>
> We were hoping that if we kept the TTL low on the vpn DNS record and the kept
> FreeS/WAN's rekeying parameters at a similiar interval that we could
> implement failover centrally using DNS.
>
> Instead what happens is that FreeS/WAN never gives up on the first hostname
> that it looked up and continues to negotiate based on that IP even when the
> underlying OS recognises that the remote IP has changed. Blocking the remote
> FreeS/WAN's access to the IP still doesn't force it to do a double check of
> the hostname's IP.
Yup. Looks like Pluto doesn't pickup on the new hostnames
>
> Is there anything that we can do to make FreeS/WAN honour the DNS TTLs and
> relookup the host, short of restarting it?
>
> Thanks,
>
ipsec auto --replace <conn_name>
Might do the trick for you.
--
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
PGP Key: finger ken_at_bantoft.org
"Anyone who considers arithmetical methods of producing
random digits is, of course, in a state of sin."
-- John Von Neumann, 1951
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET