[Openswan Users] RFC: make rekey=no default if other end is %any

Paul Wouters paul at xelerance.com
Mon Mar 7 19:35:10 EST 2011

On Mon, 7 Mar 2011, Michael Smith wrote:

> I keep coming across tunnels where the default setting of rekey
> (rekey=yes) is applied to road warriors.
> From what I understand, rekey=yes rarely or never makes sense for the
> central side of a road warrior connection with a dynamic IPs, especially
> if the remote is behind NAT. If the central side tries to renegotiate it
> can lead to spurious log messages about retransmissions in the best
> case, or NAT devices blocking the port in the worse case.
> I wonder if it'd be possible to default rekey=no if the remote end is %any.

That would cause disasters to everyone with subnet-subnet tunnels out
there on static ipsec gateways that would upgrade. The default case
should always be to rekey. Only the exception is not to rekey. You just
happen to be mostly using the one exception case of a VPN access gateway
for roadwarriors.


More information about the Users mailing list