From: D. Hugh Redelmeier (hugh_at_mimosa.com)
Date: Sat Jan 11 2003 - 19:59:43 CET
-----BEGIN PGP SIGNED MESSAGE-----
| From: Michael Niehren <michael_at_niehren.de>
[It is good to keep your email text narrower than 80 or even 72
columns: that makes quoting work better. Of course you should not
break lines from logs and so on.]
| i tried out ipsec whack --listen, but that wasn't the solution. I got
| the same error. Maybe i can describe a simpler Setup, that you can
| evaluate too.
The first rule is: when interfaces change, you must restart freeswan.
You want to break that rule. That should be possible, with a great
deal of cunning. If I understood your early mail, you were really
close to getting this working. But remember: it is outside the design
of the system. I thought that I was giving you the last piece of the
puzzle.
I've never tried this myself, but it would be great if we could come
up with a recipe that would work.
Here is what I this needed to repair a changed interface:
- - I assume that external mechanisms get the physical interface right
- - the corresponding ipsec interface (ipsecN) needs to be ifconfigged
with the correct address.
- - the interfaces need to be associated via an "ipsec tncfg" command.
- - once those steps are done, Pluto needs to rediscover the available
interfaces: "ipsec whack --listen"
Note: pluto doesn't directly care about the interfaces= setting
in /etc/ipsec.conf.
- - the %defaultroute mechanism may need fixing. If you are not using
it, let's not worry about it.
- - I think that SAs that used the interface that changed are broken
by the change. Pluto may not know this. Probably the right fix
is to do an additional "ipsec whack --listen" after the interface
has gone down but before it is restored. Some experimentation
would be useful.
| Ok,
| first you must have an Dialup Internet Connection (maybe ISDN or DSL).
|
| After the connection was established, adapt your new dynamic IP-Address
| and Gateway and starting your VPN-Connection. Everything is ok. So, now
| stopping your Internet-Connection without stopping the VPN, do only make
| an ipsec auto --down <connectionname> and ipsec auto --delete
| <connectionname>.
I recommend doing an "ipsec whack --listen" here so Pluto discovers
that the interface is down.
| Then do establish your Internet-Connection again, you got a different
| dynamic IP.
This is the point at which you need to either "ipsec setup restart" or
the tricky steps I outlined above:
- - ifconfigging the ipsecN device,
- - ipsec tncfg
- - and:
| I do an ipsec whack --listen,
Maybe this will work. Remember: I've not tried this, it is pure
theory.
| but the output is only
| [root_at_server ipsec]# ipsec whack --listen
| 002 listening for IKE messages
| 003 no public interfaces found
Right. Because you missed a few steps (ones that you had described in
earlier messages, so I thought you knew to do them).
This is interesting stuff. It would be good to figure out if this
technique works.
Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPiBposFAuQPManGZAQEN+gQAtS4m8kiQAtldHGjll8bBuLG9sG6bD1im
2lyOHTduFjt6Tpz8rQn57HgWLsBNCHiKSXQjgDbJoGuv8VOuLhbjlBvJrsBqV+b5
v4kyieES4Da/kKKYH2d/gqnPN9LlzOZg5WYh6d4I32izpmGZgPn20RBuxf5VxWcr
EkfTVpJeOx8=
=Mifi
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Jan 12 2003 - 05:21:07 CET