Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???

From: Michael Niehren (michael_at_niehren.de)
Date: Sun Jan 12 2003 - 01:34:42 CET

• Next message: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Previous message: Ken Bantoft: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• In reply to: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Next in thread: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Reply: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Hugh,

i think it work's !!!

i tried out my simple config, after establishing the new Internet-Connection, i do
an ifconfig ipsec0 with then new IP and Gateway Values.
Then an ipsec whack --listen, change my ipsec-config with the new values and
i can establish the VPN.
I don't need the tncfg command.

The next thing i will try is the setup for the VPN over Internet and over WLAN
together. But this must wait until my vacancy is over, because as of tomorrow
i am on the beach for the next 3 weeks.

Thanks for your help, Hugh.
In about 4 weeks i will let you know, if this technique realy, realy, realy
works. For now it seems to be working.

so long,
  Michael

Am Samstag, 11. Januar 2003 19:59 schrieben Sie:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> | From: Michael Niehren <michael_at_niehren.de>
>
> [It is good to keep your email text narrower than 80 or even 72
> columns: that makes quoting work better. Of course you should not
> break lines from logs and so on.]
>
> | i tried out ipsec whack --listen, but that wasn't the solution. I got
> | the same error. Maybe i can describe a simpler Setup, that you can
> | evaluate too.
>
> The first rule is: when interfaces change, you must restart freeswan.
>
> You want to break that rule. That should be possible, with a great
> deal of cunning. If I understood your early mail, you were really
> close to getting this working. But remember: it is outside the design
> of the system. I thought that I was giving you the last piece of the
> puzzle.
>
> I've never tried this myself, but it would be great if we could come
> up with a recipe that would work.
>
> Here is what I this needed to repair a changed interface:
>
> - - I assume that external mechanisms get the physical interface right
>
> - - the corresponding ipsec interface (ipsecN) needs to be ifconfigged
> with the correct address.
>
> - - the interfaces need to be associated via an "ipsec tncfg" command.
>
> - - once those steps are done, Pluto needs to rediscover the available
> interfaces: "ipsec whack --listen"
> Note: pluto doesn't directly care about the interfaces= setting
> in /etc/ipsec.conf.
>
> - - the %defaultroute mechanism may need fixing. If you are not using
> it, let's not worry about it.
>
> - - I think that SAs that used the interface that changed are broken
> by the change. Pluto may not know this. Probably the right fix
> is to do an additional "ipsec whack --listen" after the interface
> has gone down but before it is restored. Some experimentation
> would be useful.
>
>
> | Ok,
> | first you must have an Dialup Internet Connection (maybe ISDN or DSL).
> |
> | After the connection was established, adapt your new dynamic IP-Address
> | and Gateway and starting your VPN-Connection. Everything is ok. So, now
> | stopping your Internet-Connection without stopping the VPN, do only make
> | an ipsec auto --down <connectionname> and ipsec auto --delete
> | <connectionname>.
>
> I recommend doing an "ipsec whack --listen" here so Pluto discovers
> that the interface is down.
>
> | Then do establish your Internet-Connection again, you got a different
> | dynamic IP.
>
> This is the point at which you need to either "ipsec setup restart" or
> the tricky steps I outlined above:
> - - ifconfigging the ipsecN device,
> - - ipsec tncfg
> - - and:
> | I do an ipsec whack --listen,
>
> Maybe this will work. Remember: I've not tried this, it is pure
> theory.
>
> | but the output is only
> | [root_at_server ipsec]# ipsec whack --listen
> | 002 listening for IKE messages
> | 003 no public interfaces found
>
> Right. Because you missed a few steps (ones that you had described in
> earlier messages, so I thought you knew to do them).
>
> This is interesting stuff. It would be good to figure out if this
> technique works.
>
> Hugh Redelmeier
> hugh_at_mimosa.com voice: +1 416 482-8253
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBPiBposFAuQPManGZAQEN+gQAtS4m8kiQAtldHGjll8bBuLG9sG6bD1im
> 2lyOHTduFjt6Tpz8rQn57HgWLsBNCHiKSXQjgDbJoGuv8VOuLhbjlBvJrsBqV+b5
> v4kyieES4Da/kKKYH2d/gqnPN9LlzOZg5WYh6d4I32izpmGZgPn20RBuxf5VxWcr
> EkfTVpJeOx8=
> =Mifi
> -----END PGP SIGNATURE-----
>
>
>
>

-- 
Michael Niehren              __   _       powered by
Am Waldstadion 32           / /  (_)__  __ ____  __
66636 Hasborn              / /__/ / _ \/ // /\ \/ /
Tel: 06853/892877         /____/_/_//_/\_,_/ /_/\_\
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Previous message: Ken Bantoft: "RE: [Users] FreeSWAN behind Cisco NAT router?"
• In reply to: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Next in thread: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Reply: D. Hugh Redelmeier: "Re: [Users] Using dynamic Dialin with 2 IPSEC-Interfaces ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sun Jan 12 2003 - 05:21:07 CET