Return to description.txt CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / tests / ikev2 / dynamic-initiator |
1.1 misho 1: The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end 2: is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the 3: fully-qualified hostname into the current IP address via a DNS lookup (simulated by an 4: /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option 5: <b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary 6: IP address under the condition that the peer identity remains unchanged. When this happens 7: the old tunnel is replaced by an IPsec connection to the new origin. 8: <p> 9: In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b> 10: suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the 11: old tunnel first (simulated by iptables blocking IKE packets to and from 12: <b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).