[Openswan Users] On demand transport mode SA

Paul Wouters paul at xelerance.com
Mon Nov 3 20:55:45 EST 2008


On Mon, 3 Nov 2008, Alexandr Mazukabzov wrote:

>    Is there a way to configure OpenSwan for on demand transport mode SA
> up? I want to establish SA if traffic goes from one endpoint to another.

Maybe. Tunnel mode, though not very well tested with NETKEY yet can
be used. With oe=on, you should trigger NETKEY to send acquires to
the pluto daemon, which should then be able to bring up the connection
on demand.

But this is not very well tested with NETKEY, which also does no
packet caching, meaning the packet that triggers the tunnel is always
lost.

With KLIPS, it works better. You can see the %trap eroute with "ipsec
eroute", and when using auto=route it should be ready to trigger on
packets, including caching of first and last packet.

Paul


More information about the Users mailing list