Re: [m0n0wall] IPSec and dynamic DNS

From:	Michael <monowall at encambio dot com>
To:	M0n0wall list <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] IPSec and dynamic DNS
Date:	Thu, 29 Jul 2010 11:05:30 +0200

Hello Kevin,

On Wed., Jul 28, 2010, Kevin TOLLISON wrote:
>On Wed., Jul 28, 2010, Michael wrote:
>> My routers have a dynamic DNS - IPSec problem.
>>
>> [...]
>>
>> On the remote (static ) router madrid.mynet.com, I see that the
>> SAD entries are never torn down and the SPD entries contain the
>> old IP address for tokyo.mynet.com.
>>
>> I've already activated dead peer detection (DPD). What else do
>> I need to do to get this working?
>>
>Have you tried setting up a scheduled ping to the other side?
>Pfsense now has an option to do this. I have used this trick
>successfully from a workstation or server for a long time in
>similar situations.
>
No, I was trying to solve the problem without resorting to a hack.

I'll test your guess by letting ICMP traffic flow constantly between
endpoints, but my gut feeling is that it won't solve the problem.

If I understand RFC 3706 [1] correctly, then IKE's dead peer
detection was invented to achieve the results of your ping idea
without generating additional traffic.

Is the m0n0wall implementation of DPD buggy?

[1] http://www.ietf.org/rfc/rfc3706.txt

Regards,
Michael