Bug #1254


IPsec dynamic tunnels don't reload correctly

Added by Chris Buechler almost 11 years ago. Updated almost 11 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


/etc/rc.newipsecdns does not reload dynamic tunnels as it should.

Actions #2

Updated by Scott Ullrich almost 11 years ago

Use this test program to compare:


$dns_record = "";

echo "gethostbyname = " . gethostbyname($dns_record);
echo "\n";
echo "dns_get_record = " . print_r(dns_get_record($dns_record, DNS_A));


Actions #3

Updated by Chris Buechler almost 11 years ago

  • Subject changed from PHP's gethostbyname returns stale info to IPsec dynamic tunnels don't reload correctly
  • Status changed from New to Resolved

updated ticket to actual problem, it appears actually that there is no caching at all in gethostbyname, it issues a DNS query every single time it's run regardless of TTL, at least when run via CLI in /etc/rc.newipsecdns. The problem was missing the $config array when running the vpn_ipsec* functions which made them fail. confirmed working now.

Actions #4

Updated by Joe Kelly almost 11 years ago

If this is the same issue as the one discussed in the forum thread "VPN IPsec Remote gateway using DDNS doesn't update" (,29903.15.html), I can confirm that this fix does indeed work. I tried changing the IP address 5 times in a row and every time, the tunnel came back up in an average of about 30 seconds. Very nice work Chris!

One thing to note is that the old SAD entries for the old IP addresses don't seem to get cleared up -- at least not right away. I assume they'll expire after one of the Phase X lifetimes expires (don't know which one). I'm not sure if this is a big deal or not but I thought I should mention it anyway in case the old SAD entries are actually supposed to be cleaned up right away when the tunnel is reloaded with the new address.

Actions #5

Updated by Chris Buechler almost 11 years ago

Joe - the second issue you noticed requires DPD to function, see my post on the 2.0 board on the forum re: ipsec-tools 0.8.0, it fixes that.


Also available in: Atom PDF