On Tue, 4 Apr 2006 22:54:54 -0400, Jean Raby wrote: >Hello, > >i've been testing some vpn configurations with ipsecctl - ipsec.conf >on 3.9-CURRENT (i386), a snapshot from March 30 2006. > >Is there a way to specify the "peer" as a fqdn in a ike esp rule? >something like: > >ike dynamic esp from 10.150.150.2 to 192.168.1.0/24 peer vpn.example.com > >(dstid should probably be added) > >when using this, i get the following error: ># ipsecctl -vnf ipsec.conf >no IP address found for vpn.example.com > >I know the man page quite clearly says that all addresses in such a rule >have to be specified in CIDR notation, but using a fqdn for the peer >could be useful >for setups in which the endpoint has a dynamic ip and uses something >like dyndns >to have a fqdn pointing at the right ip. > >Did I miss something obvious, or there are legitimate reasons for >making this stuff ip addresses only?
I have a patch from Hans-Joerg Hoexer which should allow this but I cannot test it for a little while because my build machine is tied up with another task that has several days to run yet. Of course you'll have to run -current to use it. Meanwhile you can do what I did where one end of a connection was on a dynamic ip: Register the dynamic host with dydndns.com (f.q.d.n used here as a guide) Have ipsec.conf rules look like: ike esp from 10.99.99.0/24 to 172.16.99.0/24 peer 1.2.3.4 srcid static.example.com dstid f.q.d.n (for example. You'll need a full set at each end.) Then have a cron job at the static end that checks to see if the IP changes and if it does then have a script that rewrites ipsec.conf with the new peer IP and does "ipsecctl -f /etc/ipsec.conf" at the end. The script, of course, only needs to update the static end rules. That isn't really hard to do. >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
