diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2007-06-26 10:46:30 +0000 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2007-06-26 10:46:30 +0000 |
commit | 361712fe37cddd7f056e6316a5baca125d08aa8c (patch) | |
tree | 09b16e16f6a413eba831669fdad3466ea16035a4 /testing/tests | |
parent | 4cb9d7a758751dfe658258bdf39671491ef29cc7 (diff) | |
download | strongswan-361712fe37cddd7f056e6316a5baca125d08aa8c.tar.bz2 strongswan-361712fe37cddd7f056e6316a5baca125d08aa8c.tar.xz |
use of the right=%<fqdn> wildcard
Diffstat (limited to 'testing/tests')
4 files changed, 8 insertions, 12 deletions
diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt index cb63a984d..56a1c0754 100644 --- a/testing/tests/ikev1/dynamic-two-peers/description.txt +++ b/testing/tests/ikev1/dynamic-two-peers/description.txt @@ -1,8 +1,9 @@ The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses, -so that the remote end is defined symbolically by <b>right=<hostname></b>. +so that the remote end is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are -expected to change over time, the option <b>rightallowany=yes</b> will allow an IKE +expected to change over time, the prefix '%' is used as an implicit alternative to the +explicit <b>rightallowany=yes</b> option which will allow an IKE main mode rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin. @@ -10,6 +11,5 @@ by an IPsec connection to the new origin. In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to <b>moon</b> which has a named connection definition for each peer. Although the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to -the <b>rightallowany=yes</b> flag <b>moon</b> will accept the IKE negotiations -from the actual IP addresses. +the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses. diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf index ba6f7bfe9..41123c9d6 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf @@ -18,8 +18,7 @@ conn moon leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf index 792ddbb0e..2ba4db724 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf @@ -18,8 +18,7 @@ conn moon leftcert=daveCert.pem leftid=dave@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf index 040bd078a..50c3a6a69 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf @@ -19,15 +19,13 @@ conn %default leftfirewall=yes conn carol - right=carol.strongswan.org - rightallowany=yes + right=%carol.strongswan.org rightid=carol@strongswan.org rightsubnet=PH_IP_CAROL1/32 auto=add conn dave - right=dave.strongswan.org - rightallowany=yes + right=%dave.strongswan.org rightid=dave@strongswan.org rightsubnet=PH_IP_DAVE1/32 auto=add |