[ previous ] [ next ] [ threads ]
 From:  Michael <monowall at encambio dot com>
 To:  M0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSec and dynamic DNS
 Date:  Thu, 29 Jul 2010 10:56:26 +0200
Hello Macafee,

On Wed., Jul 28, 2010, macafee wrote:
>  2010-7-28 18:34, Michael :
>> My routers have a dynamic DNS - IPSec problem.
>> [...]
>> On the remote (static ) router madrid.mynet.com, I see that the
>> SAD entries are never torn down and the SPD entries contain the
>> old IP address for tokyo.mynet.com.
>> I've already activated dead peer detection (DPD). What else do
>> I need to do to get this working?
> I use the genericpc-1.32 version. I met this problem too. But I
> use two dynamic ip address on both side. I found the system can't
> renew the ip address when the ip address was changed.
After looking in the forum it seems that others are having this
problem as well as you and me. As far as I can see, either the
racoon (IKEv1) daemon or whatever is controlling it:

  1) Knows when the remote IPSec host IP changes, because
     of 'IPsec DNS check interval' in system_advanced.php
  2) Knows that it should reconstruct peer bindings from
     time to time, because of 'Dead Peer Detection'

...so I still don't understand why m0n0wall's IPSec logic is
failing. The DNS server logs show that the routers are indeed
querying for each other's new IP addresses at the given interval.