From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Strongswan and auto=start Date: Wed, 27 Feb 2019 16:46:55 +0000 Message-ID: <03715558-2162-4317-B4A9-1DE8E24F161B@ipfire.org> In-Reply-To: <32FF8B0B-1D8C-4964-85B4-77DC6598F63D@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0478252639916773013==" List-Id: --===============0478252639916773013== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, No, auto=3Dstart was the default. I would prefer to have auto=3Droute as the default. When you say you did that for years you are referring to your own setup, righ= t? -Michael > On 25 Feb 2019, at 23:16, Tom Rymes wrote: >=20 > Would it not be possible to revert to the old CGI, prior to On-Demand and c= hange the auto=3Dstart line to auto=3Droute? We did that for years. >=20 > Tom >=20 >> On Feb 18, 2019, at 6:43 AM, Michael Tremer = wrote: >>=20 >> Hi, >>=20 >> I tried to change this in the CGI, but it is not so easy. >>=20 >> But I would be in favour of On-Demand being the default. >>=20 >> Best, >> -Michael >>=20 >>> On 18 Feb 2019, at 04:44, Tom Rymes wrote: >>>=20 >>> A while back, I made a feature request to allow configuration of the Stro= ngswan =E2=80=9Cauto=E2=80=9D parameter via the WUI. This made its way into t= he WUI as the =E2=80=9COn-Demand=E2=80=9D feature a while back (thank you!!!)= https://bugzilla.ipfire.org/show_bug.cgi?id=3D10733 >>>=20 >>> At the time, I had posted a few links to messages on the StrongSwan maili= ng list that indicated that auto=3Droute results in superior reliability, and= our experience bears this out, but the default remains =E2=80=9Cauto=3Dstart= =E2=80=9D. >>>=20 >>> In order to support Windows roadwarrior connections, IPFire=E2=80=99s hos= t cert needs a dns Subject Alt Name, so I had to delete all of our tunnels an= d certs, then recreate them. This meant that I had to change both sides of ~2= 0 tunnels from the default =E2=80=9CAlways On=E2=80=9D (auto=3Dstart) to =E2= =80=9COn Demand=E2=80=9D (auto=3Droute). >>>=20 >>> Coincidentally, this message from one of the developers came across the S= trongSwan Users list tonight, which basically makes clear that auto=3Dstart s= hould not be used: https://lists.strongswan.org/pipermail/users/2019-February= /013373.html >>>=20 >>> The relevant quotation: =E2=80=9CUse auto=3Droute. Auto=3Dstart is not re= liable.=E2=80=9D >>>=20 >>> This raises the question as to why auto=3Dstart is still the default in I= PFire. >>>=20 >>> Thoughts? >>>=20 >>> Tom >>=20 >=20 --===============0478252639916773013==--