From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] ipsec: Add script to ensure VPNs are always on Date: Wed, 05 Feb 2020 12:19:32 -0500 Message-ID: <3d9d5a30-8bec-cbe2-0dc5-2792ad057220@rymes.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2652285439054101244==" List-Id: --===============2652285439054101244== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 02/05/2020 11:53 AM, Michael Tremer wrote: > Hi, >=20 >> On 5 Feb 2020, at 15:23, Tom Rymes wrote: >> >> I probably misunderstood something here, but if we're setting all tunnels = to auto=3Droute, what's the difference between On-Demand and Always-On? >=20 > Thank you for looking at this. Good question. >=20 > For strongswan there will be no difference any more, but the script that ch= ecks the tunnels every 5 minutes will only try to bring up the =E2=80=9Calway= s on=E2=80=9D tunnels. OK, I see what you mean. May I suggest that we eliminate the distinction=20 between "Always-On" and "On Demand" and just retain the time limit for=20 inactivity? Tunnels set to have a limited time before being shut down to=20 inactivity shouldn't be brought back up by the script and those that do=20 not should be. >> Also, this should be a nice improvement for reliability, as lots of folks = don't know that choosing "Always-On" means "auto=3Dstart", which is far less = reliable. >=20 > I think it is best to not offer these options any more. I suppose this only= matters for users where one peer is behind NAT. Then you want to make sure t= hat the tunnel is always up (but wouldn=E2=80=99t you normally always care ab= out this?) or you would want the other side not to initiate a connection. Maybe you're saying the same thing I just said up above? tom --===============2652285439054101244==--