[Openswan Users] RFC: make rekey=no default if other end is %any

Paul Wouters paul at xelerance.com
Mon Mar 7 20:21:21 EST 2011

On Mon, 7 Mar 2011, Michael Smith wrote:

>> On Mon, 7 Mar 2011, Michael Smith wrote:
>>> I wonder if it'd be possible to default rekey=no if the remote end is %any.
>> That would cause disasters to everyone with subnet-subnet tunnels out
>> there on static ipsec gateways that would upgrade.
> The end with the dynamic IP would still have rekey=yes,

Oh wait. Of course. you are right. I'm not sure if we can do it dynamically
though, because pluto does not determine its side of the connection on loading
the connection. I'll file this in the tracker and think about it some more.

>> You just happen to be mostly using the one exception case of a VPN
>> access gateway for roadwarriors.
> The central end has a static IP and the road warriors have dynamic IPs -
> isn't that the common case, not the exception?

For the "roadwarrior gateway" yes, but there are many other types of VPN
connections - though they tend to not use "%any".


More information about the Users mailing list