mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
7c5a2974b9
For documentation purposes the new folders ikev1-algs, ikev2-algs, ikev1-multi-ca and ikev2-multi-ca have been created. Most of the test cases have now been converted to the vici interface. The remaining legacy stroke scenarios yet to be converted have been put into the ikev2-stroke-bye folder. For documentation purposes some legacy stroke scenarios will be kept in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders.
13 lines
841 B
Plaintext
Executable File
13 lines
841 B
Plaintext
Executable File
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the
|
|
<b>remote_addrs</b> field contains a <b>Fully Qualified Domain Name</b> (FQDN) which
|
|
is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry).
|
|
This will allow an IKE_SA rekeying to arrive from an arbitrary IP address
|
|
under the condition that the peer identity remains unchanged. When this happens
|
|
the old tunnel is replaced by an IPsec connection to the new origin.
|
|
<p>
|
|
In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some
|
|
time <b>carol</b> suddenly changes her IP address and restarts the connection to
|
|
<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking
|
|
IKE packets to and from <b>carol</b> and starting the connection from host <b>dave</b>
|
|
using <b>carol</b>'s identity).
|