[Openswan Users] Tunnel on demand?

Stefan Denker Stefan at dn-kr.de
Thu Oct 26 06:34:59 EDT 2006


On Wed, Oct 25, 2006 at 12:53:20PM -0400, Peter McGill wrote:
> Although if I was to use the output of ipsec auto --status, I would
> probably look for "IPsec SA established" which indicates a working
> tunnel connection.  Like this:
> #!/bin/bash
> if ipsec auto --status | grep -q 'conn-name.*IPsec SA established'
> then
>  echo "Up."
> else
>  echo "Down."
> fi

This is almost exactly how I do it at the moment.

> Now this suggestion is not a pure on demand, but it might satisfy your 
> business partner.
> ipsec.conf
> conn conn-name
>    auto=route
> crontab
> 0 17 * * 1-5 /usr/local/sbin/ipsec auto --replace conn-name 2>&1> /dev/null
> What does this do?
> Well if your partner tries to connect to you, then a connection gets made.

Yes...

> If someone on your network requests a network resource on the far side
> of the tunnel, then a connection gets made.

Are you sure about this? The manpage says "auto=route" adds the
connection plus does an "ipsec auto --route". Then "ipsec_auto" says: 

,---
| However, the route and  only the  route  can  be  established with the
| --route operation.  Until and unless an actual connection is
| established, this discards any  packets sent there, which may be
| preferable to having them sent elsewhere based on a more general route
| (e.g., a default route).
`---

So only the route will get set, the connection will not get established
automatically. 

If the connection gets established automatically I'd be done cause the
Cisco side tears down the tunnel if it's not used. I could live with
that... 

> This is not pure on demand, though, once turned on the connection
> stays on.  However if your staff only need the connection during
> office hours, then you could add a cron entry like above, which will
> reset the connection at 5 pm, shutting the tunnel off until
> reactivated again, like the first time.

> Now I haven't tested all this myself, but it should work.

This would work, yes. But only if the manpage is wrong... *g*

Stefan

-- 
Der Furchtsame erschrickt vor der Gefahr, der Feige in ihr, der Mutige nach ihr.
                                                                       Jean Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20061026/e8f7d587/attachment.bin 


More information about the Users mailing list