From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] ipsec: Add script to ensure VPNs are always on Date: Thu, 06 Feb 2020 15:03:14 +0000 Message-ID: <5CECA878-928D-4859-9053-1F4DD59B15F0@ipfire.org> In-Reply-To: <8cdb5ccc-5e67-5268-8a89-a46b069a4d8f@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2127330797268561014==" List-Id: --===============2127330797268561014== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 5 Feb 2020, at 17:36, Tom Rymes wrote: >=20 > On 02/05/2020 12:22 PM, Michael Tremer wrote: >> Hi, >>> On 5 Feb 2020, at 17:19, Tom Rymes wrote: >=20 > [snip] >=20 >>> OK, I see what you mean. May I suggest that we eliminate the distinction = between "Always-On" and "On Demand" and just retain the time limit for inacti= vity? Tunnels set to have a limited time before being shut down to inactivity= shouldn't be brought back up by the script and those that do not should be. >> That would still change one more thing. We would then decide to always kee= p all tunnels up. I am not sure if that has any disadvantages for anyone real= ly. But we would definitely have to drop the timeout, too, because otherwise = the tunnel will be brought down and the script will bring it back up again sh= ortly after. >=20 > Sorry for being unclear. There are currently eight options for "Inactivity = Timeout", including "Unlimited". I would propose that the script you are addi= ng should only bring back up tunnels whose Inactivity Timeout is set to "Unli= mited". A tunnel with a timeout of one hour would time out, go down, and then= the script should ignore it. The inactivity timeout is only active when the connection is in =E2=80=9Con d= emand=E2=80=9D mode. The script ignores connections in that mode, so nothing = will happen here. > Does that make sense? >=20 > Tom --===============2127330797268561014==--