mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-05 00:00:45 -04:00
13 lines
988 B
Plaintext
13 lines
988 B
Plaintext
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
|
|
is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the
|
|
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
|
|
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
|
|
<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary
|
|
IP address under the condition that the peer identity remains unchanged. When this happens
|
|
the old tunnel is replaced by an IPsec connection to the new origin.
|
|
<p>
|
|
In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
|
|
suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
|
|
old tunnel first (simulated by iptables blocking IKE packets to and from
|
|
<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
|