Return to description.txt CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / testing / tests / ikev2 / dynamic-two-peers |
1.1 misho 1: The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses, 2: so that the remote end is defined symbolically by <b>right=%<hostname></b>. 3: The ipsec starter resolves the fully-qualified hostname into the current IP address 4: via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are 5: expected to change over time, the prefix '%' is used as an implicit alternative to the 6: explicit <b>rightallowany=yes</b> option which will allow an IKE_SA rekeying to arrive 7: from an arbitrary IP address under the condition that the peer identity remains unchanged. 8: When this happens the old tunnel is replaced by an IPsec connection to the new origin. 9: <p> 10: In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to 11: <b>moon</b> which has a named connection definition for each peer. Although 12: the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to 13: the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses. 14: