[Openswan Users] RFC: make rekey=no default if other end is %any
msmith at cbnco.com
Mon Mar 7 15:35:50 EST 2011
I keep coming across tunnels where the default setting of rekey
(rekey=yes) is applied to road warriors.
From what I understand, rekey=yes rarely or never makes sense for the
central side of a road warrior connection with a dynamic IPs, especially
if the remote is behind NAT. If the central side tries to renegotiate it
can lead to spurious log messages about retransmissions in the best
case, or NAT devices blocking the port in the worse case.
I wonder if it'd be possible to default rekey=no if the remote end is %any.
More information about the Users