Yup, sounds like a good workaround. Actually, both end points have dynamic ips so the script would have to get the peer's ip from the fqdn but that's not a problem.
If you don't mind sending the patch my way, i'd like to see the diff, i tried to figure out how that stuff worked yesterday, but it was getting late... Thanks Jean On 4/4/06, Rod.. Whitworth <[EMAIL PROTECTED]> wrote: > On Tue, 4 Apr 2006 22:54:54 -0400, Jean Raby wrote: > > >Hello, > > > >i've been testing some vpn configurations with ipsecctl - ipsec.conf > >on 3.9-CURRENT (i386), a snapshot from March 30 2006. > > > >Is there a way to specify the "peer" as a fqdn in a ike esp rule? > >something like: > > > >ike dynamic esp from 10.150.150.2 to 192.168.1.0/24 peer vpn.example.com > > > >(dstid should probably be added) > > > >when using this, i get the following error: > ># ipsecctl -vnf ipsec.conf > >no IP address found for vpn.example.com > > > >I know the man page quite clearly says that all addresses in such a rule > >have to be specified in CIDR notation, but using a fqdn for the peer > >could be useful > >for setups in which the endpoint has a dynamic ip and uses something > >like dyndns > >to have a fqdn pointing at the right ip. > > > >Did I miss something obvious, or there are legitimate reasons for > >making this stuff ip addresses only? > > I have a patch from Hans-Joerg Hoexer which should allow this but I > cannot test it for a little while because my build machine is tied up > with another task that has several days to run yet. > > Of course you'll have to run -current to use it. > > Meanwhile you can do what I did where one end of a connection was on a > dynamic ip: > > Register the dynamic host with dydndns.com (f.q.d.n used here as a > guide) > > Have ipsec.conf rules look like: > ike esp from 10.99.99.0/24 to 172.16.99.0/24 peer 1.2.3.4 srcid > static.example.com dstid f.q.d.n (for example. You'll need a full set > at each end.) > > Then have a cron job at the static end that checks to see if the IP > changes and if it does then have a script that rewrites ipsec.conf with > the new peer IP and does "ipsecctl -f /etc/ipsec.conf" at the end. > > The script, of course, only needs to update the static end rules. > > That isn't really hard to do. > > > > From the land "down under": Australia. > Do we look <umop apisdn> from up over? > > Do NOT CC me - I am subscribed to the list. > Replies to the sender address will fail except from the list-server.
