From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Strongswan and auto=start Date: Tue, 05 Mar 2019 15:28:03 +0000 Message-ID: <5A8243E0-1271-4669-BFB4-3BE5A01D5ABA@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3557849155941984111==" List-Id: --===============3557849155941984111== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I got it. Yay! https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Deb09c90ef4760= 6f616201fddc5e783149aee9228 The patch looks simple, but this was a lot of work :( And I changed the default straight away: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Db15b70bc6b6b5= f6d8b62e5b730b68d86f59810e6 This is what we want, isn=E2=80=99t it? Best, -Michael > On 27 Feb 2019, at 17:12, Tom Rymes wrote: >=20 > Yes, my apologies, I thought I had sent that message days ago, but it was s= itting there waiting to be sent, and it clearly could have been more, um, cle= ar. >=20 > What I meant was that, for years, we routinely modified the CGI to change t= he line that wrote out =E2=80=9Cauto=3Dstart=E2=80=9D to =E2=80=9Cauto=3Drout= e=E2=80=9D. This made it so that the tunnel configurations were automatically= written out correctly, and we just had to remember to modify that one line a= fter updates when the CGI was overwritten (like we currently do for unbound a= nd .internal domains). >=20 > Would it not be possible to revert to the old CGI, then make that one modif= ication to have all Net-to-Net tunnels use auto=3Droute? We could then add in= a timeout function and drop down if folks would like to retain the on-demand= functionality (though I think that unlimited should be the default, as I ima= gine most net-to-net tunnels are intended to be always-on). >=20 > Tom >=20 >> On Feb 27, 2019, at 11:47 AM, Michael Tremer = wrote: >>=20 >> Hi, >>=20 >> No, auto=3Dstart was the default. >>=20 >> I would prefer to have auto=3Droute as the default. >>=20 >> When you say you did that for years you are referring to your own setup, r= ight? >>=20 >> -Michael >>=20 >>> On 25 Feb 2019, at 23:16, Tom Rymes wrote: >>>=20 >>> Would it not be possible to revert to the old CGI, prior to On-Demand and= change the auto=3Dstart line to auto=3Droute? We did that for years. >>>=20 >>> Tom >>>=20 >>>> On Feb 18, 2019, at 6:43 AM, Michael Tremer wrote: >>>>=20 >>>> Hi, >>>>=20 >>>> I tried to change this in the CGI, but it is not so easy. >>>>=20 >>>> But I would be in favour of On-Demand being the default. >>>>=20 >>>> Best, >>>> -Michael >>>>=20 >>>>> On 18 Feb 2019, at 04:44, Tom Rymes wrote: >>>>>=20 >>>>> A while back, I made a feature request to allow configuration of the St= rongswan =E2=80=9Cauto=E2=80=9D parameter via the WUI. This made its way into= the WUI as the =E2=80=9COn-Demand=E2=80=9D feature a while back (thank you!!= !) https://bugzilla.ipfire.org/show_bug.cgi?id=3D10733 >>>>>=20 >>>>> At the time, I had posted a few links to messages on the StrongSwan mai= ling list that indicated that auto=3Droute results in superior reliability, a= nd our experience bears this out, but the default remains =E2=80=9Cauto=3Dsta= rt=E2=80=9D. >>>>>=20 >>>>> In order to support Windows roadwarrior connections, IPFire=E2=80=99s h= ost cert needs a dns Subject Alt Name, so I had to delete all of our tunnels = and certs, then recreate them. This meant that I had to change both sides of = ~20 tunnels from the default =E2=80=9CAlways On=E2=80=9D (auto=3Dstart) to = =E2=80=9COn Demand=E2=80=9D (auto=3Droute). >>>>>=20 >>>>> Coincidentally, this message from one of the developers came across the= StrongSwan Users list tonight, which basically makes clear that auto=3Dstart= should not be used: https://lists.strongswan.org/pipermail/users/2019-Februa= ry/013373.html >>>>>=20 >>>>> The relevant quotation: =E2=80=9CUse auto=3Droute. Auto=3Dstart is not = reliable.=E2=80=9D >>>>>=20 >>>>> This raises the question as to why auto=3Dstart is still the default in= IPFire. >>>>>=20 >>>>> Thoughts? >>>>>=20 >>>>> Tom >>>>=20 >>>=20 >>=20 --===============3557849155941984111==--