| 123456789101112 |
- The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
- is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
- fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
- /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
- <b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
- IP address under the condition that the peer identity remains unchanged. When this happens
- the old tunnel is replaced by an IPsec connection to the new origin.
- <p>
- In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
- suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
- old tunnel first (simulated by iptables blocking IKE packets to and from
- <b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
|
