[Openswan Users] Tunnel on demand?

Paul Wouters paul at xelerance.com
Fri Oct 20 15:48:25 EDT 2006


On Fri, 20 Oct 2006, Stefan Denker wrote:

> so, I've successfully established a connection between
> Openswan/Netkey(local) and a Cisco VPN 3000(remote). Now the
> administrator of the remote site doesn't like to have the tunnel
> established all the time, it should only be established if it is
> actually used.

What's his argumentation for that? His Cisco is running out of memory
for state? Keeping the tunnel up all the time costs 5 packets for a
rekey every hour.

> So, I have to figure out some way to implement "Dial on demand" with
> openswan, some way to transparently establish the tunnel if some local
> machine tries to connect to some remote machine. Any hints about how to
> do that?

Opportunistic Encryption can do that, but not to a Cisco box. And it
requires "first packet caching", which klips supports but netkey does
not.

So I'm afraid, you'll have to do something strange, like change routing
into some other device, eg like the old ppp dailup scripts, which used
a dummy route into 127.0.0.2 into some device that triggered the setup
of the tunnel.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list