[Openswan Users] Tunnel on demand?

Peter McGill petermcgill at goco.net
Wed Oct 25 12:53:20 EDT 2006


> Ok, I am going to do something strange. Maybe I'll post about how I did
> it once I got it working. 

> Before I get started I got another question: Which is the "official" way
> to see whether a connection is established or not? I know "ipsec auto
> --status" will give me the information needed, but it gives a lot more.

> And (but this is maybe better posted to the developer mailing list)
> speaking of "ipsec auto --status": Which states (STATE_MAIN_I1,
> STATE_QUICK_R2) can a connection be in? Is there a documentation ( apart
> from *.c *g* ) of these somewhere? 

doc/ipsec.html has a pretty detailed description of the basic IPSec negotiation process.
Although if I was to use the output of ipsec auto --status, I would probably look
for "IPsec SA established" which indicates a working tunnel connection.
Like this:
#!/bin/bash
if ipsec auto --status | grep -q 'conn-name.*IPsec SA established'
then
  echo "Up."
else
  echo "Down."
fi

Now this suggestion is not a pure on demand, but it might satisfy your business partner.
ipsec.conf
conn conn-name
    auto=route
crontab
0 17 * * 1-5 /usr/local/sbin/ipsec auto --replace conn-name 2>&1 > /dev/null

What does this do?
Well if your partner tries to connect to you, then a connection gets made.
If someone on your network requests a network resource on the far side of the tunnel,
then a connection gets made.
Basically the connection is only activated when requested.
This is not pure on demand, though, once turned on the connection stays on.
However if your staff only need the connection during office hours, then you could add
a cron entry like above, which will reset the connection at 5 pm, shutting the tunnel off
until reactivated again, like the first time.

Now I haven't tested all this myself, but it should work.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited


More information about the Users mailing list