From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Strongswan and auto=start Date: Tue, 05 Mar 2019 11:51:05 -0500 Message-ID: <2803d245-1060-44ce-a2ac-326392933ce8@rymes.com> In-Reply-To: <5A8243E0-1271-4669-BFB4-3BE5A01D5ABA@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8607712664174260078==" List-Id: --===============8607712664174260078== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Great news, Michael, thanks for putting the work in on this. It sure=20 looks like the right solution to me. I would suggest that we consider changing the default for=20 INACTIVIY_TIMEOUT to unlimited, but I can see how others might differ on=20 that. Tom On 03/05/2019 10:28 AM, Michael Tremer wrote: > Hi, >=20 > I got it. Yay! >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Deb09c90ef4= 7606f616201fddc5e783149aee9228 >=20 > The patch looks simple, but this was a lot of work :( >=20 > And I changed the default straight away: >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Db15b70bc6b= 6b5f6d8b62e5b730b68d86f59810e6 >=20 > This is what we want, isn=E2=80=99t it? >=20 > Best, > -Michael >=20 >> On 27 Feb 2019, at 17:12, Tom Rymes wrote: >> >> Yes, my apologies, I thought I had sent that message days ago, but it was = sitting there waiting to be sent, and it clearly could have been more, um, cl= ear. >> >> What I meant was that, for years, we routinely modified the CGI to change = the line that wrote out =E2=80=9Cauto=3Dstart=E2=80=9D to =E2=80=9Cauto=3Drou= te=E2=80=9D. This made it so that the tunnel configurations were automaticall= y written out correctly, and we just had to remember to modify that one line = after updates when the CGI was overwritten (like we currently do for unbound = and .internal domains). >> >> Would it not be possible to revert to the old CGI, then make that one modi= fication to have all Net-to-Net tunnels use auto=3Droute? We could then add i= n a timeout function and drop down if folks would like to retain the on-deman= d functionality (though I think that unlimited should be the default, as I im= agine most net-to-net tunnels are intended to be always-on). >> >> Tom >> >>> On Feb 27, 2019, at 11:47 AM, Michael Tremer wrote: >>> >>> Hi, >>> >>> No, auto=3Dstart was the default. >>> >>> I would prefer to have auto=3Droute as the default. >>> >>> When you say you did that for years you are referring to your own setup, = right? >>> >>> -Michael >>> >>>> On 25 Feb 2019, at 23:16, Tom Rymes wrote: >>>> >>>> Would it not be possible to revert to the old CGI, prior to On-Demand an= d change the auto=3Dstart line to auto=3Droute? We did that for years. >>>> >>>> Tom >>>> >>>>> On Feb 18, 2019, at 6:43 AM, Michael Tremer wrote: >>>>> >>>>> Hi, >>>>> >>>>> I tried to change this in the CGI, but it is not so easy. >>>>> >>>>> But I would be in favour of On-Demand being the default. >>>>> >>>>> Best, >>>>> -Michael >>>>> >>>>>> On 18 Feb 2019, at 04:44, Tom Rymes wrote: >>>>>> >>>>>> A while back, I made a feature request to allow configuration of the S= trongswan =E2=80=9Cauto=E2=80=9D parameter via the WUI. This made its way int= o the WUI as the =E2=80=9COn-Demand=E2=80=9D feature a while back (thank you!= !!) https://bugzilla.ipfire.org/show_bug.cgi?id=3D10733 >>>>>> >>>>>> At the time, I had posted a few links to messages on the StrongSwan ma= iling list that indicated that auto=3Droute results in superior reliability, = and our experience bears this out, but the default remains =E2=80=9Cauto=3Dst= art=E2=80=9D. >>>>>> >>>>>> In order to support Windows roadwarrior connections, IPFire=E2=80=99s = host cert needs a dns Subject Alt Name, so I had to delete all of our tunnels= and certs, then recreate them. This meant that I had to change both sides of= ~20 tunnels from the default =E2=80=9CAlways On=E2=80=9D (auto=3Dstart) to = =E2=80=9COn Demand=E2=80=9D (auto=3Droute). >>>>>> >>>>>> Coincidentally, this message from one of the developers came across th= e StrongSwan Users list tonight, which basically makes clear that auto=3Dstar= t should not be used: https://lists.strongswan.org/pipermail/users/2019-Febru= ary/013373.html >>>>>> >>>>>> The relevant quotation: =E2=80=9CUse auto=3Droute. Auto=3Dstart is not= reliable.=E2=80=9D >>>>>> >>>>>> This raises the question as to why auto=3Dstart is still the default i= n IPFire. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> Tom >>>>> >>>> >>> >=20 --===============8607712664174260078==--