[Openswan Users] Tunnel on demand?
Paul Wouters
paul at xelerance.com
Thu Oct 26 18:38:40 EDT 2006
On Thu, 26 Oct 2006, Stefan Denker wrote:
> > If someone on your network requests a network resource on the far side
> > of the tunnel, then a connection gets made.
>
> Are you sure about this? The manpage says "auto=route" adds the
> connection plus does an "ipsec auto --route". Then "ipsec_auto" says:
>
> ,---
> | However, the route and only the route can be established with the
> | --route operation. Until and unless an actual connection is
> | established, this discards any packets sent there, which may be
> | preferable to having them sent elsewhere based on a more general route
> | (e.g., a default route).
> `---
>
> So only the route will get set, the connection will not get established
> automatically.
And that's for KLIPS. I am not sure what would happen with NETKEY.
> If the connection gets established automatically I'd be done cause the
> Cisco side tears down the tunnel if it's not used. I could live with
> that...
>
> > This is not pure on demand, though, once turned on the connection
> > stays on.
Not if you use rekey=no. It will die after the keylife has expired.
> > Now I haven't tested all this myself, but it should work.
>
> This would work, yes. But only if the manpage is wrong... *g*
Ahum. yeah.
Paul <--- been updating man pages this week
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list