[Openswan Users] Tunnel on demand?

Paul Wouters paul at xelerance.com
Thu Oct 26 18:38:40 EDT 2006

On Thu, 26 Oct 2006, Stefan Denker wrote:

> > If someone on your network requests a network resource on the far side
> > of the tunnel, then a connection gets made.
> Are you sure about this? The manpage says "auto=route" adds the
> connection plus does an "ipsec auto --route". Then "ipsec_auto" says:
> ,---
> | However, the route and  only the  route  can  be  established with the
> | --route operation.  Until and unless an actual connection is
> | established, this discards any  packets sent there, which may be
> | preferable to having them sent elsewhere based on a more general route
> | (e.g., a default route).
> `---
> So only the route will get set, the connection will not get established
> automatically.

And that's for KLIPS. I am not sure what would happen with NETKEY.

> If the connection gets established automatically I'd be done cause the
> Cisco side tears down the tunnel if it's not used. I could live with
> that...
> > This is not pure on demand, though, once turned on the connection
> > stays on.

Not if you use rekey=no. It will die after the keylife has expired.

> > Now I haven't tested all this myself, but it should work.
> This would work, yes. But only if the manpage is wrong... *g*

Ahum. yeah.

Paul <--- been updating man pages this week
Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list