[Openswan Users] Tunnel on demand?

[Peter McGill]

> ,---
> | However, the route and  only the  route  can  be  established with the
> | --route operation.  Until and unless an actual connection is
> | established, this discards any  packets sent there, which may be
> | preferable to having them sent elsewhere based on a more general route
> | (e.g., a default route).
> `---

> So only the route will get set, the connection will not get established
> automatically. 

> If the connection gets established automatically I'd be done cause the
> Cisco side tears down the tunnel if it's not used. I could live with
> that... 

> This would work, yes. But only if the manpage is wrong... *g*

I'm not sure if I'd say the manpage was wrong or simply unclear.
But I've had this work for me in the past, (years ago), but stopped using it,
so I suggested it, but wasn't sure if it still worked.

But I tested today to be sure and it works, here are my results.
Local Router Version: ipsec --version Linux Openswan 2.4.6 (klips) uname -r 2.4.31
Remote Router Version: Nortel (Contivity Extranet/VPN) Switch 600+ Revision V05_00.136

auto=add
Set's up the connection, but does not start it right away, it waits for the remote end to initiate.

auto=start
Set's up the connection, and starts it right away.

auto=route
Set's up the conneciton, but does not start it right away, it waits for the remote end to initiate,
or for local generated traffic destined for the remote end (which causes it to initiate the tunnel.)

In both add and route cases there is no visible (route -n) route in the routing table before the
two ends are connected, but there is once connected.

Therefore, auto=route is basically 1 half of on demand, it will start on demand, but openswan
will not destroy the tunnel after a period of inactivity. However it will allow the remote end to
terminate the tunnel, and will not reconnect it.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited