I'm having Dynamic IP issues with dhclient, ddclient, and isakmpd, on
OpenBSD running on a Soekris net4511 as a residential gateway. My
connection is a consumer grade AT&T DSL line. My IP address changes an
average of once every 18 hours but that is not set. I have an IPSEC
tunnel configured using certificates and FQDN identifiers between the
Soekris and another OpenBSD box in my basement on a static IP
connection. This whole setup works as follows: The Soekris get's its
external IP via dhclient. Ddclient updates this address at DynDNS.com
and isakmpd should then follow by establishing the tunnel. All of this
works great on boot. When the external IP get's changed by AT&T,
isakmpd fails because it continues to use the old IP address for the
IKE exchange. I can restore the tunnel with the following shell
commands:
# kill $(cat /var/run/isakmpd.pid)
# /usr/sbin/isakmpd -K
# /usr/sbin/ipsecctl -F -f /etc/ipsec.conf
Shouldn't the ipsec tunnel get restored by just the third command?
Things that I've tried. I've changed the dhclient-script to one that
calls enter and exit hooks like the stock ISC dhclient does and I've
added a little bit of scripting there to capture the IP address change
event but when I add the call to do the updates within this script
dhclient fails and dies. I'm inclined to believe that this is a
timeout issue since the exact same modifications work on a Soekris
Net5501. The only differences that I can see between the two of them
are that ddclient takes about 8 ~ 10 seconds on the Net4511 and about
1.5 seconds on the Net5501.
I've also tried running sshd on the box and having it available so I
could just log in and manage the transition on my own but that seems
to fail also. Do I need to restart pf after an address change on my
external interface?
Thanks for any help
-- Chris
