[Openswan Users] RFC: make rekey=no default if other end is %any

Michael Smith msmith at cbnco.com
Mon Mar 7 15:35:50 EST 2011


I keep coming across tunnels where the default setting of rekey 
(rekey=yes) is applied to road warriors.

 From what I understand, rekey=yes rarely or never makes sense for the 
central side of a road warrior connection with a dynamic IPs, especially 
if the remote is behind NAT. If the central side tries to renegotiate it 
can lead to spurious log messages about retransmissions in the best 
case, or NAT devices blocking the port in the worse case.

I wonder if it'd be possible to default rekey=no if the remote end is %any.


More information about the Users mailing list