From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: On-Demand IPsec VPN Date: Wed, 15 Feb 2017 14:53:56 +0000 Message-ID: <1487170436.24657.168.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2919447801811425717==" List-Id: --===============2919447801811425717== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello guys, sorry for my absence in the last few days and weeks. This list has been more = or less read-only for me and I would like to chance this. I would like to see mo= re people involved in this project and take part in what we do here. So it is important that everyone is in the know about what is going on. This morning I worked on a small feature which is probably quite interesting: On-demand IPsec VPN tunnels. What does it do? It essentially installs triggers in the kernel instead of bringing up the VPN tunnel right away. As soon as the kernel is receiving a packet that is supposed to be sent through that VPN, it will ask strongSwan to bring up the tunnel and send the packet. When the VPN tunnel has not transferred any packets for 15 minutes, it will terminate it and restart it when it is needed again. Why is this such a great feature? It is simple, but in scenarios with many VPN tunnels (e.g. headquarters and many branch offices) it does not always make sense to keep all tunnels up all of the time. This feature will shut down any tunnels that are not needed and keep resources free. This is probably not much, but we have seen machines with only few entropy and we have seen IPsec becoming unstable then. The web user interface shows the status if a tunnel is idle or connected. Patches are in next: http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Ddcb406cc675c42= f9add4a41c8a1e07eea7c3ab08 http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D1ee1666ee45268= db405a66b8ec05501c718e7702 http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D8057ab15b9efee= cf8eca7ad4ebba170f141bd3de It would be cool if you all could have a look at them, test them, maybe compl= ete translations for any languages that you speak, etc. I am not sure if this will cause some problems with some applications that re= ly on fast establishing of connections. Looking forward to hearing your feedback! Best, -Michael --===============2919447801811425717== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSllwR3VFQUFvSkVJQjU4UDl2a0FrSFR1c1AvQWhIWTMwTGhWTzk2dDlDYUVxUjRsK3AK L0xxWkdpOGF6eTltOG9DWlVQelRpeUt1Nmt3VW1oaFozVHJYNjJ1bzVaZ3E4b3lpN096REc2bHM1 K0RxY244UwpibWQ5cEdxTWd0bW1QQktXTGdqK2RXbXRpV2RMN3hUKzdoSEV1elhlVzc5NFBZNDNZ aE9WSmovdW5aWmlLQVV2Ck8xakdPdkdqTEhTUU16czBtWHg3eUxJOXQ0UmFZcndTc21aRXJncU1h ekFoTVVpMDl1SE9vbnlNR2pMdTUrRTIKM3RVQzJDL21oQ2pUZGRuVGtTaTRXSStBTXJ6aEt6cTcw Tm5UYjlVdllKekZLeFFzR00yRkhLUWI1aWVmTzZxMAp5ZUJyTzB5cXJZNXN4VzVZSFIySGIvckV6 M1NuRm9MSlhiZS9xU0lCYnVCRFNOT1h1V256RGw5NDZ4YXN3d0lpCkNwbXhUSFZGSWV5Ky92OG01 ZGhIZmQrS29KMWxUYlExVGtzbmVlYUVuR3ZyOUNZTzJIYnFtaUN5MnlWRkdkTEgKZUEwdjZwSUtt NWdxNVJFVkVSN3ZabnZmNytYQXg0S0JqZTgycC90anp0YnBEQkFFakZIQncxenNLdEdkMGhVMwpk bkZieVAwQ09CVnc4bDZ2c24rZmJKWVoyNVFTaVAyeWpWeUpFb1NZS1NXSE1GSU9vRGJiTVpUZmEv ZHFENzU2CkVFR1BjZkFrYUtWY29xU3VBZTBGbklJdGVLQ1hLeWRhMUFhMllIVVFUNXAxUG5xRElq OUpvOTFtTFNOS2xXa2kKZDY0Q2JVMlN3d0hMNERpYnpQWm5QNUo0Y2FIa2lkSXJkYU9ZQTMyT2Fw bmJIN2RxTG5VSDBqSThTZjN3NnNNaQo3UGNZVkJhRE5jS01mYTBjZXFQdwo9b2t5TwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============2919447801811425717==--