On 2007/07/04 10:36, Georg Buschbeck wrote:
>
> my suggestion is, that the openbsd box, doesn't resolve the new ip of the
> draytek, in the logfiles i can see the openbsd systems trying to reestablish
> the connection to the old ip of the draytek.
That's not how DPD works, it should just pull down the SA when it can't
contact the other side. This would happen at both sides, the dynamic side
would see the SA is down, then try and reconnect when it gets another
packet that should traverse the vpn.
The static side (i.e. OpenBSD) should be configured passive without
listing the peer address, something like this:
ike passive esp \
from 192.168.64.0/21 to any \
main auth hmac-sha1 enc aes group grp2 \
quick auth hmac-sha1 enc aes group grp2 \
tag ipsec-$id
("to any" is magic). If you use PSK rather than public-key, specify
it here (same psk for all dynamic endpoints).
> the dyndns-name of the draytek does not have a correct reverse lookup.
You don't need dyndns for this (though it may be useful for other
things).
