ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

use of the right=%<fqdn> wildcard

This commit is contained in:
Andreas Steffen 2007-06-26 10:46:30 +00:00
parent 4cb9d7a758
commit 361712fe37
4 changed files with 8 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
testing/tests/ikev1/dynamic-two-peers/description.txt
View File

@ -1,8 +1,9 @@
The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
so that the remote end is defined symbolically by <b>right=&lt;hostname&gt;</b>.
so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
The ipsec starter resolves the fully-qualified hostname into the current IP address
via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
expected to change over time, the option <b>rightallowany=yes</b> will allow an IKE
expected to change over time, the prefix '%' is used as an implicit alternative to the
explicit <b>rightallowany=yes</b> option which will allow an IKE
main mode rekeying to arrive from an arbitrary IP address under the condition that
the peer identity remains unchanged. When this happens the old tunnel is replaced
by an IPsec connection to the new origin.
@ -10,6 +11,5 @@ by an IPsec connection to the new origin.
In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
<b>moon</b> which has a named connection definition for each peer. Although
the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
the <b>rightallowany=yes</b> flag <b>moon</b> will accept the IKE negotiations
from the actual IP addresses.
the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.

3
testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
View File

@ -18,8 +18,7 @@ conn moon
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=moon.strongswan.org
rightallowany=yes
right=%moon.strongswan.org
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=add

3
testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
View File

@ -18,8 +18,7 @@ conn moon
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=moon.strongswan.org
rightallowany=yes
right=%moon.strongswan.org
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
auto=add

6
testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
View File

@ -19,15 +19,13 @@ conn %default
leftfirewall=yes
conn carol
right=carol.strongswan.org
rightallowany=yes
right=%carol.strongswan.org
rightid=carol@strongswan.org
rightsubnet=PH_IP_CAROL1/32
auto=add
conn dave
right=dave.strongswan.org
rightallowany=yes
right=%dave.strongswan.org
rightid=dave@strongswan.org
rightsubnet=PH_IP_DAVE1/32
auto=add