strongSwan KVM Tests / ikev1 / dynamic-responder
Test ikev1/dynamic-responder
Description
The peers carol and moon both have dynamic IP addresses, so that the remote_addrs field contains a Fully Qualified Domain Name (FQDN) which is evaluated just before use via a DNS lookup (simulated by an /etc/hosts entry). This will allow an IKE main mode rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.In this scenario moon first initiates a tunnel to carol. After some time the responder carol suddenly changes her IP address and restarts the connection to moon without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from carol and starting the connection from host dave using carol's identity).
