[Openswan Users] RFC: make rekey=no default if other end is %any

Michael Smith msmith at cbnco.com
Mon Mar 7 19:40:46 EST 2011

On Mon, 7 Mar 2011, Paul Wouters wrote:

> On Mon, 7 Mar 2011, Michael Smith wrote:
> > I wonder if it'd be possible to default rekey=no if the remote end is %any.
> That would cause disasters to everyone with subnet-subnet tunnels out
> there on static ipsec gateways that would upgrade.

The end with the dynamic IP would still have rekey=yes, because the other 
end would be static. The end with the dynamic IP is the only end that can 
rekey, anyway. On the end with the static IP, where the other end is 
dynamic, would have rekey=no.

> You just happen to be mostly using the one exception case of a VPN 
> access gateway for roadwarriors.

The central end has a static IP and the road warriors have dynamic IPs - 
isn't that the common case, not the exception?


More information about the Users mailing list