Per my earlier post I'm trying to debug an IPSec Tunnel between two  
Soekris boxes running OpenBSD 4.5. One side of the connection has  
static IP, the other is a DSL connection and uses dynamic IP. When the  
IP address changes the tunnel drops and the only way I've come up with  
to restore it is to log into the remote side and do the following  
shell commands:

      # kill $(cat /var/run/isakmpd.pid)
      # /sbin/isakmpd -K
      # /sbin/ipsecctl -f /etc/ipsec.conf

I just spent an hour working on the remote side and I've come up with  
more information on the problem. Particularly with isakmpd

My /etc/ipsec.conf looks like this:

my_fqdn="myfqdn.example.com"
my_ip="1.2.3.4"
my_network="192.168.64.0/24"

remote_fqdn="remotefqdn.example.com"
remote_ip="5.6.7.8"
remote_network="192.168.65.0/24"

ike dynamic esp from { $my_ip $my_network} \
         to { $remote_fqdn $remote_network} \
         local $my_ip peer $remote_fqdn \
         srcid $my_fqdn dstid $remote_fqdn

ike dynamic esp from $my_ip to $remote_fqdn \
         local $my_ip peer $remote_fqdn \
         srcid $my_fqdn dstid $remote_fqdn


Through dhclient-script and dhclient-exit-hooks I'm able to do this:

      # ipsecctl -F -D my_ip=${new_ip_address} -f /etc/ipsec.conf

At the time that dhclient changes my IP address but, this doesn't  
work. Isakmpd complains thusly:

Aug 29 16:19:53 stompbox isakmpd[14934]: udp_create: 1.2.3.4:500 must  
exist as a listener too
Aug 29 16:19:53 stompbox isakmpd[14934]: exchange_establish: transport  
"udp" for peer "peer-5.6.7.8-local-1.2.3.4" could not be created

I believe these messages are cause by the first call to isakmpd which  
happens before I know what IP address I have.

If I could get this piece of things to work I think that could solve  
the rest of my problems by just running ddclient as a daemon with a  
timeout of 5 minutes.

Again, Thanks for any assistance

-- Chris

P.S. my earlier post is below.

On Aug 29, 2009, at 2:09 PM, Christopher Hilton wrote:

quoted text
> I'm having Dynamic IP issues with dhclient, ddclient, and isakmpd,  
> on OpenBSD running on a Soekris net4511 as a residential gateway. My  
> connection is a consumer grade AT&T DSL line. My IP address changes  
> an average of once every 18 hours but that is not set. I have an  
> IPSEC tunnel configured using certificates and FQDN identifiers  
> between the Soekris and another OpenBSD box in my basement on a  
> static IP connection. This whole setup works as follows: The Soekris  
> get's its external IP via dhclient. Ddclient updates this address at  
> DynDNS.com and isakmpd should then follow by establishing the  
> tunnel. All of this works great on boot. When the external IP get's  
> changed by AT&T, isakmpd fails because it continues to use the old  
> IP address for the IKE exchange. I can restore the tunnel with the  
> following shell commands:
>
>     # kill $(cat /var/run/isakmpd.pid)
>     # /usr/sbin/isakmpd -K
>     # /usr/sbin/ipsecctl -F -f /etc/ipsec.conf
>
> Shouldn't the ipsec tunnel get restored by just the third command?
>
> Things that I've tried. I've changed the dhclient-script to one that  
> calls enter and exit hooks like the stock ISC dhclient does and I've  
> added a little bit of scripting there to capture the IP address  
> change event but when I add the call to do the updates within this  
> script dhclient fails and dies. I'm inclined to believe that this is  
> a timeout issue since the exact same modifications work on a Soekris  
> Net5501. The only differences that I can see between the two of them  
> are that ddclient takes about 8 ~ 10 seconds on the Net4511 and  
> about 1.5 seconds on the Net5501.
>
> I've also tried running sshd on the box and having it available so I  
> could just log in and manage the transition on my own but that seems  
> to fail also. Do I need to restart pf after an address change on my  
> external interface?
>
> Thanks for any help
> -- Chris