[ previous ] [ next ] [ threads ]
 From:  Michael <monowall at encambio dot com>
 To:  M0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSec and dynamic DNS
 Date:  Thu, 29 Jul 2010 11:05:30 +0200
Hello Kevin,

On Wed., Jul 28, 2010, Kevin TOLLISON wrote:
>On Wed., Jul 28, 2010, Michael wrote:
>> My routers have a dynamic DNS - IPSec problem.
>> [...]
>> On the remote (static ) router madrid.mynet.com, I see that the
>> SAD entries are never torn down and the SPD entries contain the
>> old IP address for tokyo.mynet.com.
>> I've already activated dead peer detection (DPD). What else do
>> I need to do to get this working?
>Have you tried setting up a scheduled ping to the other side?
>Pfsense now has an option to do this. I have used this trick
>successfully from a workstation or server for a long time in
>similar situations.
No, I was trying to solve the problem without resorting to a hack.

I'll test your guess by letting ICMP traffic flow constantly between
endpoints, but my gut feeling is that it won't solve the problem.

If I understand RFC 3706 [1] correctly, then IKE's dead peer
detection was invented to achieve the results of your ping idea
without generating additional traffic.

Is the m0n0wall implementation of DPD buggy?

[1] http://www.ietf.org/rfc/rfc3706.txt