[Openswan Users] RFC: make rekey=no default if other end is %any
Michael Smith
msmith at cbnco.com
Mon Mar 7 19:40:46 EST 2011
On Mon, 7 Mar 2011, Paul Wouters wrote:
> On Mon, 7 Mar 2011, Michael Smith wrote:
> > I wonder if it'd be possible to default rekey=no if the remote end is %any.
>
> That would cause disasters to everyone with subnet-subnet tunnels out
> there on static ipsec gateways that would upgrade.
The end with the dynamic IP would still have rekey=yes, because the other
end would be static. The end with the dynamic IP is the only end that can
rekey, anyway. On the end with the static IP, where the other end is
dynamic, would have rekey=no.
> You just happen to be mostly using the one exception case of a VPN
> access gateway for roadwarriors.
The central end has a static IP and the road warriors have dynamic IPs -
isn't that the common case, not the exception?
Mike
More information about the Users
mailing list