Re: [Users] FreeS/WAN detection of modified DNS

From: Sam Sgro (sam_at_freeswan.org)
Date: Thu Oct 31 2002 - 20:34:41 CET

• Next message: Britt Tabor: "[Users] non-DNS-name error when setting right=%any"
• Previous message: Ken Bantoft: "Re: [Users] new crypto laws allow freeswan in Linux kernel?"
• In reply to: Fraser Campbell: "[Users] FreeS/WAN detection of modified DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On 31 Oct 2002, Fraser Campbell wrote:

> We have a multi-homed FreeS/WAN hub to which 20-30 remote offices will be
> connecting. Our tunnels use a right=vpn.xxxx.com parameter.
>
> We were hoping that if we kept the TTL low on the vpn DNS record and the kept
> FreeS/WAN's rekeying parameters at a similiar interval that we could
> implement failover centrally using DNS.
>
> Instead what happens is that FreeS/WAN never gives up on the first hostname
> that it looked up and continues to negotiate based on that IP even when the
> underlying OS recognises that the remote IP has changed. Blocking the remote
> FreeS/WAN's access to the IP still doesn't force it to do a double check of
> the hostname's IP.
>
> Is there anything that we can do to make FreeS/WAN honour the DNS TTLs and
> relookup the host, short of restarting it?

Sorry about that! You should have asked the Users list sooner, or checked the
archive; this behavior is well documented.

DNS lookups happen at the moment a connection is added to FreeS/WAN's internal
database, and nothing short of that connection being "--replace"'d, or
"--delete"d and "--add"ed, will provoke the lookup again.

Now, Mathieu Lafon has coded a new starter script; we have been seriously
considering this to replace our own startup methods. It includes the behavior
which you are looking for; specifically:

    Upon reloading, dynamic DNS addr will be resolved and reoloaded. Use
    --auto_reload to periodically check dynamic DNS changes.

I'd encourage you to try this script, as it doesn't require a full freeswan
recompilation. (Using virgin 1.98b, I did have to run make in our "lib"
directory to provide a needed library. That was about it.)

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPcGF0kOSC4btEQUtAQHTaAQAxk02P/nYMScpRi3ANXqTRotKbGFlACne
9wrVvsKPalJwoCPQsMrh4DaVflnRFrW22iZfOdSmaCZwH2BKV0KLEKLJHMJ2aiXj
a3DKHbXNHbUSK2JFjeODz2fI8VtRJTMRkEXmuCRjdUyAkjCpglBPkJ2PIUZCdanB
QrDiYDqh+wQ=
=X0SP
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Britt Tabor: "[Users] non-DNS-name error when setting right=%any"
• Previous message: Ken Bantoft: "Re: [Users] new crypto laws allow freeswan in Linux kernel?"
• In reply to: Fraser Campbell: "[Users] FreeS/WAN detection of modified DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET